{"id":"AZL-65066","summary":"CVE-2025-23166 affecting package nodejs18 for versions less than 18.20.3-8","details":"The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.","modified":"2026-04-21T04:32:39.790217Z","published":"2025-05-19T02:15:17Z","upstream":["CVE-2025-23166"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23166"}],"affected":[{"package":{"name":"nodejs18","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/nodejs18"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"18.20.3-8"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-65066.json"}}],"schema_version":"1.7.5"}