Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: CRITICAL VULNERABILITIES (CVE-2025-23087, CVE-2025-23088, CVE-2025-23089) IN NODE.JS COULD LEAD TO UNAUTHORIZED ACCESS, CODE EXECUTION, DATA LOSS, OR SYSTEM COMPROMISE, PATCH IMMEDIATELY!
Image
Published : 31/01/2025
Reference:
Advisory #2025-24
Version:
1.0
Affected software:
Node.js: v17.x, v19.x, v21.x
Type:
Insufficient security control, code execution, inadequate access control
CVE/CVSS:
• CVE-2025-23087: CVSS 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
• CVE-2025-23088: CVSS 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
• CVE-2025-23089: CVSS 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Sources
NodeJS: https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
Risks
By exploiting these vulnerabilities, a threat actor can:
- Gain unauthorized access to the system due to insufficient security controls in older Node.js versions,
- Bypass security mechanisms and execute arbitrary code, potentially compromising the system,
- Leverage inadequate access controls to obtain unauthorized access and carry out malicious activities.
These vulnerabilities have a significant impact on confidentiality, integrity, and availability.
There is currently no evidence of these vulnerabilities being actively exploited, nor are there any proof-of-concept exploits available at this time.
Description
These vulnerabilities allow potential exposure to unaddressed software vulnerabilities via the continued use of End-of-Life (EOL) versions that no longer receive security updates or patches.
- CVE-2025-23087 (Node.js v17.x and earlier): This critical vulnerability affects outdated Node.js versions (v17.x and prior), potentially allowing attackers to gain unauthorized access due to inadequate security mechanisms.
- CVE-2025-23088 (Node.js v19.x): A severe flaw in Node.js v19.x enables attackers to bypass security protections and execute arbitrary code.
- CVE-2025-23089 (Node.js v21.x): This vulnerability, like CVE-2025-23088, affects Node.js v21.x and arises from insufficient access controls, making exploitation possible.
Apart from the critical vulnerabilities, there are three vulnerabilities of lower severity:
- CVE-2025-23083 (Worker Permission Bypass): A high-severity vulnerability in Node.js v20.x, v22.x, and v23.x, where an attacker can exploit an internal worker leak through the diagnostics_channel utility. This could grant unauthorized access to restricted worker threads, potentially escalating privileges.
- CVE-2025-23084 (Path Traversal on Windows): A medium-severity vulnerability affecting Node.js on Windows, where improper handling of drive names allows attackers to bypass path restrictions and access unauthorized directories.
- CVE-2025-23085 (GOAWAY HTTP/2 Memory Leak): A memory leak issue impacting Node.js v18.x, v20.x, v22.x, and v23.x, occurring when a remote peer closes a socket without sending a GOAWAY signal. This flaw may lead to excessive resource consumption and potential denial-of-service (DoS) conditions.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Cyble: https://cyble.com/blog/critical-vulnerabilities-in-node-js-expose-systems/