Vulnerability Details

CVEID:   CVE-2025-23083
DESCRIPTION:   With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23.
CWE:   CWE-284: Improper Access Control
CVSS Source:   support@hackerone.com
CVSS Base score:   7.7
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:   CVE-2025-23084
DESCRIPTION:   A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API.
CWE:   CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS Source:   support@hackerone.com
CVSS Base score:   5.6
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N)

CVEID:   CVE-2025-23085
DESCRIPTION:   A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.
CWE:   CWE-401: Missing Release of Memory after Effective Lifetime
CVSS Source:   support@hackerone.com
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2024-52798
DESCRIPTION:   path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.
CWE:   CWE-1333: Inefficient Regular Expression Complexity
CVSS Source:   security-advisories@github.com
CVSS Base score:   7.7
CVSS Vector:   (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X)

CVEID:   CVE-2024-47764
DESCRIPTION:   jshttp cookie could allow a remote attacker to bypass security restrictions, caused by improper input validation by the cookie name, path, and domain. By sending a specially crafted request, an attacker could exploit this vulnerability to alter other fields of the cookie.
CWE:   CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVSS Source:   IBM X-Force
CVSS Base score:   6.5
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)