VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-6m5m-4t1s-s3da

Essentials
Severities (33)
References (20)
Severity details (8)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-6m5m-4t1s-s3da
Aliases	CVE-2025-23166
Summary	The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-248

Uncaught Exception

System	Score	Found at
cvssv3	5.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-23166.json
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-23166.json
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00062	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00062	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
epss	0.00088	https://api.first.org/data/v1/epss?cve=CVE-2025-23166
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3	7.5	https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
ssvc	Track	https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
archlinux	High	https://security.archlinux.org/AVG-2871
archlinux	High	https://security.archlinux.org/AVG-2872
archlinux	High	https://security.archlinux.org/AVG-2873

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-23166.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-23166
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-23166
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1105832		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105832
2367163		https://bugzilla.redhat.com/show_bug.cgi?id=2367163
ASA-202505-6		https://security.archlinux.org/ASA-202505-6
ASA-202505-7		https://security.archlinux.org/ASA-202505-7
ASA-202505-8		https://security.archlinux.org/ASA-202505-8
AVG-2871		https://security.archlinux.org/AVG-2871
AVG-2872		https://security.archlinux.org/AVG-2872
AVG-2873		https://security.archlinux.org/AVG-2873
CVE-2025-23166		https://nvd.nist.gov/vuln/detail/CVE-2025-23166
may-2025-security-releases		https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
RHSA-2025:8467		https://access.redhat.com/errata/RHSA-2025:8467
RHSA-2025:8468		https://access.redhat.com/errata/RHSA-2025:8468
RHSA-2025:8493		https://access.redhat.com/errata/RHSA-2025:8493
RHSA-2025:8506		https://access.redhat.com/errata/RHSA-2025:8506
RHSA-2025:8514		https://access.redhat.com/errata/RHSA-2025:8514
RHSA-2025:8902		https://access.redhat.com/errata/RHSA-2025:8902

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-23166.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-23166.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nodejs.org/en/blog/vulnerability/may-2025-security-releases

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-19T14:11:17Z/ Found at https://nodejs.org/en/blog/vulnerability/may-2025-security-releases

Exploit Prediction Scoring System (EPSS)

Percentile	0.12873
EPSS Score	0.00043
Published At	May 19, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-05-15T10:52:46.659953+00:00	Debian Importer	Import	https://security-tracker.debian.org/tracker/data/json	36.0.0