CVE-2025-23090: 
Node.js vulnerability analysis and mitigation

A security vulnerability was discovered in Node.js versions v20, v22, and v23 affecting the Permission Model users (--permission). The vulnerability involves the diagnostics_channel utility, which allows events to be hooked into worker thread creation, potentially exposing internal workers and their constructors for malicious usage (Node.js Blog, NVD).

The vulnerability exists in the diagnostics_channel utility implementation where an event can be hooked whenever a worker thread is created. The issue extends beyond regular workers to expose internal workers, allowing their instances to be fetched and their constructors to be obtained for potential malicious purposes. The vulnerability has been assigned a CVSS v3.0 base score of 7.7 (HIGH) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (HackerOne).

The vulnerability allows attackers to access and manipulate internal worker threads, potentially leading to unauthorized access to system resources and compromise of the application's security model. This affects the confidentiality and integrity of the system, though availability remains unaffected as indicated by the CVSS scoring (NVD).

The vulnerability affects Node.js versions v20, v22, and v23 specifically when using the Permission Model (--permission). Users should update to the latest security releases provided by the Node.js team (Node.js Blog).

Red Hat Product Security has analyzed the vulnerability and determined that it does not affect any currently supported Red Hat products, though they note that this assessment may evolve based on further analysis (Red Hat).