CVE-2025-23166 The advisory has been revoked - it doesn't affect any version of package nodejs (opens in a new tab)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DEBIAN11-NODEJS-10175983
- published16 May 2025
- disclosed19 May 2025
Introduced: 16 May 2025
NewCVE-2025-23166 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Amendment
The Debian security team deemed this advisory irrelevant for Debian:11.
NVD Description
Note: Versions mentioned in the description apply only to the upstream nodejs package and not the nodejs package as distributed by Debian.
The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.