Critical security vulnerabilities in multiple Node.js versions (v18.x, v20.x, v22.x, v23.x) pose high risks, including data theft, DoS, and system compromise.

Overview

A series of critical security vulnerabilities have been discovered in multiple versions of Node.js, a popular open-source JavaScript runtime used to build scalable network applications. These vulnerabilities, outlined in CERT-In Vulnerability Note CIVN-2025-0011, have been classified as high severity, with the potential to compromise sensitive information, disrupt services, and even execute arbitrary code. Users of Node.js, including developers and organizations relying on this platform, are urged to take immediate action to secure their systems.

The vulnerabilities affect several versions of Node.js, including both long-term support (LTS) and current releases. Affected versions include Node.js v18.x, v20.x, v22.x, and the latest v23.x. The flaws stem from various issues, including memory leaks, path traversal vulnerabilities, and worker permission bypasses, which could result in denial of service (DoS) conditions, data theft, and potential system compromises.

The vulnerabilities present a high risk of unauthorized access to sensitive data, denial of service, or even complete system compromise. These flaws can be exploited remotely, allowing attackers to gain control over affected systems. The potential impacts are significant, especially in production environments where Node.js applications are running in high-traffic scenarios.

Key Vulnerabilities in Node.js

1. CVE-2025-23087 (Node.js v17.x and prior): This critical vulnerability affects older versions of Node.js (v17.x or earlier), with an attacker potentially gaining unauthorized access due to insufficient security controls. The severity of the flaw demands immediate attention from users of these older versions.
2. CVE-2025-23088 (Node.js v19.x): A critical flaw affecting Node.js v19.x, which could allow an attacker to bypass security measures and execute arbitrary code. It’s essential for users of v19.x to update to the latest release to mitigate the risk.
3. CVE-2025-23089 (Node.js v21.x): Similar to CVE-2025-23088, this vulnerability impacts Node.js v21.x, allowing for potential exploitation due to a lack of proper access control and security features. Users should upgrade to patched versions of Node.js immediately.
4. CVE-2025-23083 (Worker Permission Bypass): A high-severity vulnerability discovered in Node.js v20.x, v22.x, and v23.x, where an attacker could exploit the internal worker leak mechanism via the diagnostics_channel utility. This flaw could enable unauthorized access to worker threads, which are typically restricted, potentially leading to privilege escalation.
5. CVE-2025-23084 (Path Traversal on Windows): A medium-severity vulnerability impacting Windows users of Node.js. This flaw allows attackers to exploit improper handling of drive names in the Windows environment, potentially accessing unauthorized directories on the system by bypassing path restrictions.
6. CVE-2025-23085 (GOAWAY HTTP/2 Memory Leak): A memory leak issue triggered when a remote peer closes the socket without sending a GOAWAY notification. This issue affects Node.js versions v18.x, v20.x, v22.x, and v23.x. The memory leak could lead to increased resource consumption and potential DoS conditions under specific conditions.

The Importance of Updating Node.js

The Node.js team released patches for affected versions on January 21, 2025, addressing the vulnerabilities mentioned above. Users are strongly advised to upgrade to the latest versions to ensure their systems remain secure. Specifically, Node.js v18.20.6, v20.18.2, v22.13.1, and v23.6.1 have been made available to fix these critical issues.

Organizations and developers running vulnerable versions of Node.js should prioritize upgrading their installations to avoid security breaches. Additionally, those using older or End-of-Life (EOL) versions of Node.js should take immediate action, as they will continue to be exposed to these vulnerabilities until they are patched.

Node.js Security Releases and Dependencies

As part of their security releases, Node.js has also updated several critical dependencies. Notably, the undici HTTP client library has been updated across all supported versions to address public vulnerabilities. These updates are essential for maintaining the integrity of applications that rely on these dependencies.

For developers using Node.js in production environments, these security updates are a critical component of a proactive approach to cybersecurity. With regular security patches, Node.js can remain a secure and reliable runtime for building server-side applications.

CERT-In and Node.js Security Response

CERT-In, the Indian Computer Emergency Response Team, issued a vulnerability note (CIVN-2025-0011) to inform organizations and individuals about the potential risks posed by these vulnerabilities in Node.js. CERT-In has been actively working with Node.js maintainers to ensure that the patches are implemented effectively and that affected users are aware of the necessary updates.

In addition to the immediate patches released by Node.js, CERT-In emphasizes the importance of regularly monitoring the security landscape for updates and applying patches in a timely manner to reduce the risk of exploitation.

Recommended Actions for Node.js Users

To mitigate the risks associated with these vulnerabilities, Node.js users should take the following steps:

1. Ensure that all systems are running the latest supported version of Node.js. For LTS releases, update to v18.20.6, v20.18.2, or v22.13.1. For the current release line, update to v23.6.1.
2. Ensure that critical dependencies, such as undici, are updated to their latest versions to address any known vulnerabilities.
3. Develop and maintain a patch management strategy that includes routine checks for Node.js updates and related security patches.
4. Regularly audit system logs and use security tools to detect any unusual behavior that may indicate an attempted exploitation of these vulnerabilities.

Conclusion

The recent vulnerabilities in Node.js highlight the importance of keeping software up to date and following strong cybersecurity practices. As Node.js remains widely used, staying on top of security patches and monitoring cyber threats is crucial to protecting systems.

Organizations can enhance their defenses by leveraging threat intelligence solutions like Cyble, which provides advanced AI-driven threat intelligence and vulnerability management. By combining best practices with tools like Cyble, organizations can better protect their systems from online threats.

For more information on Node.js security, users can visit the official security page. Regular monitoring of resources such as CERT-In and threat intelligence platforms like Cyble is key to staying protected from risks.

References:

• https://www.cert-in.org.in/
• https://nodejs.org/en/blog/vulnerability/january-2025-security-releases

Related