www.belgium.be Logo of the federal government

WARNING: CRITICAL VULNERABILITIES (CVE-2025-23087, CVE-2025-23088, CVE-2025-23089) IN NODE.JS COULD LEAD TO UNAUTHORIZED ACCESS, CODE EXECUTION, DATA LOSS, OR SYSTEM COMPROMISE, PATCH IMMEDIATELY!

Referentie: 
Advisory #2025-24
Versie: 
1.0
Geïmpacteerde software: 
Node.js: v17.x, v19.x, v21.x
Type: 
Insufficient security control, code execution, inadequate access control
CVE/CVSS: 

•    CVE-2025-23087: CVSS 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
•    CVE-2025-23088: CVSS 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
•    CVE-2025-23089: CVSS 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Datum: 
31/01/2025

Bronnen

NodeJS: https://nodejs.org/en/blog/vulnerability/january-2025-security-releases

Risico’s

By exploiting these vulnerabilities, a threat actor can:

  • Gain unauthorized access to the system due to insufficient security controls in older Node.js versions,
  • Bypass security mechanisms and execute arbitrary code, potentially compromising the system,
  • Leverage inadequate access controls to obtain unauthorized access and carry out malicious activities.

These vulnerabilities have a significant impact on confidentiality, integrity, and availability.

There is currently no evidence of these vulnerabilities being actively exploited, nor are there any proof-of-concept exploits available at this time.

Beschrijving

These vulnerabilities allow potential exposure to unaddressed software vulnerabilities via the continued use of End-of-Life (EOL) versions that no longer receive security updates or patches.

  • CVE-2025-23087 (Node.js v17.x and earlier): This critical vulnerability affects outdated Node.js versions (v17.x and prior), potentially allowing attackers to gain unauthorized access due to inadequate security mechanisms.
  • CVE-2025-23088 (Node.js v19.x): A severe flaw in Node.js v19.x enables attackers to bypass security protections and execute arbitrary code.
  • CVE-2025-23089 (Node.js v21.x): This vulnerability, like CVE-2025-23088, affects Node.js v21.x and arises from insufficient access controls, making exploitation possible.

Apart from the critical vulnerabilities, there are three vulnerabilities of lower severity:

  • CVE-2025-23083 (Worker Permission Bypass): A high-severity vulnerability in Node.js v20.x, v22.x, and v23.x, where an attacker can exploit an internal worker leak through the diagnostics_channel utility. This could grant unauthorized access to restricted worker threads, potentially escalating privileges.
  • CVE-2025-23084 (Path Traversal on Windows): A medium-severity vulnerability affecting Node.js on Windows, where improper handling of drive names allows attackers to bypass path restrictions and access unauthorized directories.
  • CVE-2025-23085 (GOAWAY HTTP/2 Memory Leak): A memory leak issue impacting Node.js v18.x, v20.x, v22.x, and v23.x, occurring when a remote peer closes a socket without sending a GOAWAY signal. This flaw may lead to excessive resource consumption and potential denial-of-service (DoS) conditions.

Aanbevolen acties

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Referenties

Cyble: https://cyble.com/blog/critical-vulnerabilities-in-node-js-expose-systems/