Node.js Internal Worker Leak Vulnerability Allowing Permission Bypass

Vulnerability

A vulnerability exists in Node.js versions 20, 22, and 23 for users with the Permission Model enabled. By using the diagnostics_channel utility, it is possible to intercept events when a worker thread is created. This not only applies to regular worker threads but also reveals internal workers, allowing an instance to be accessed. The constructor of this internal worker can be extracted and reused for malicious purposes, effectively bypassing the permission model restrictions.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal worker threads, allowing for manipulation or misuse of their constructors in a harmful way.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

7.5

exploitability

4.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

7.5

exploitability

4.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Node.js Internal Worker Leak Vulnerability Allowing Permission Bypass

Vulnerability

Impact

Affected Products

Node.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating