Home
HIGH: 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HDefault status
unaffected
4.0 (semver) before 4.*
affected
5.0 (semver) before 5.*
affected
6.0 (semver) before 6.*
affected
7.0 (semver) before 7.*
affected
8.0 (semver) before 8.*
affected
9.0 (semver) before 9.*
affected
10.0 (semver) before 10.*
affected
11.0 (semver) before 11.*
affected
12.0 (semver) before 12.*
affected
13.0 (semver) before 13.*
affected
14.0 (semver) before 14.*
affected
15.0 (semver) before 15.*
affected
16.0 (semver) before 16.*
affected
17.0 (semver) before 17.*
affected
18.0 (semver) before 18.*
affected
19.0 (semver) before 19.*
affected
20.0 (semver)
affected
22.0 (semver)
affected
23.0 (semver)
affected
24.0 (semver)
affected
21.0 (semver) before 21.*
affected
Description
The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.
Product status
4.0 (semver) before 4.*
5.0 (semver) before 5.*
6.0 (semver) before 6.*
7.0 (semver) before 7.*
8.0 (semver) before 8.*
9.0 (semver) before 9.*
10.0 (semver) before 10.*
11.0 (semver) before 11.*
12.0 (semver) before 12.*
13.0 (semver) before 13.*
14.0 (semver) before 14.*
15.0 (semver) before 15.*
16.0 (semver) before 16.*
17.0 (semver) before 17.*
18.0 (semver) before 18.*
19.0 (semver) before 19.*
20.0 (semver)
22.0 (semver)
23.0 (semver)
24.0 (semver)
21.0 (semver) before 21.*
References
nodejs.org/en/blog/vulnerability/may-2025-security-releases