Node.js Background Thread Cryptographic Operation Error Handling Vulnerability Leading to Process Crash

A vulnerability exists in the Node.js runtime in release lines 20.x, 22.x, 23.x, and 24.x. The issue arises in the C++ method SignTraits::DeriveBits(), where improper error handling can occur during asynchronous cryptographic operations. When this method is executed in a background thread, it may incorrectly invoke ThrowException() based on user-supplied inputs, potentially causing the Node.js process to crash. This vulnerability is particularly concerning because cryptographic operations often involve untrusted inputs, allowing an adversary to remotely disrupt the Node.js runtime.

Impact

Exploitation of this vulnerability causes the Node.js process to crash, disrupting any ongoing operations or services that depend on that process.

Remediation

Users can upgrade to the latest versions of Node.js in the 20.x, 22.x, 23.x, and 24.x release lines to address this vulnerability.