{"id":"AZL-61919","summary":"CVE-2025-23166 affecting package nodejs for versions less than 20.14.0-9","details":"The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.","modified":"2026-04-21T04:31:53.283697Z","published":"2025-05-19T02:15:17Z","upstream":["CVE-2025-23166"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23166"}],"affected":[{"package":{"name":"nodejs","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/nodejs"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"20.14.0-9"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-61919.json"}}],"schema_version":"1.7.5"}