Uncaught Exception

CVE-2025-23166

High

7.5/10

Summary

The C++ method "SignTraits::DeriveBits()" may incorrectly call "ThrowException()" based on user-supplied inputs when executing in a background thread, potentially crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Therefore, this mechanism could allow an adversary to remotely crash a Node.js runtime. This vulnerability affects versions 20.x prior to 20.19.2, 22.x prior to 22.15.1, 23.x prior to 23.11.1, and 24.x prior to 24.0.2.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-248 - Uncaught Exception

An exception is thrown from a function, but it is not caught.

References

Advisory
Disclosure
Release Note

Advisory Timeline

Published May 19, 2025

Uncaught Exception

CVE-2025-23166

Summary

CWE-248 - Uncaught Exception

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS