Primary

Context

Node.js Worker Permission Bypass Vulnerability via InternalWorker Leak

Vulnerability

Patched

A vulnerability exists in Node.js versions 20, 22, and 23 prior to the latest security releases, allowing Permission Model users to hook into events when worker threads are created. This issue not only pertains to regular workers but also exposes internal workers, enabling the fetching of an instance, extraction of its constructor, and potential misuse. Successful exploitation could lead to unauthorized access to internal worker functionalities, allowing for malicious manipulation or actions.

Impact

Exploitation of this vulnerability could result in unauthorized access to internal worker threads, allowing for sensitive information disclosure or unauthorized modification of data.

Remediation

Users can upgrade to Node.js versions 20.18.2, 22.13.1, or 23.6.1 to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

5.0

exploitability

4.7

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

5.0

exploitability

4.7

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Node.js Worker Permission Bypass Vulnerability via InternalWorker Leak

Vulnerability

Impact

Remediation

Affected Products

Node.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating