Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[AUTO-CHERRYPICK] Patch nodejs for CVE-2025-23083 - branch 3.0-dev #12119

Merged
merged 1 commit into from
Jan 29, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 94 additions & 0 deletions SPECS/nodejs/CVE-2025-23083.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
From 389f239a282de04651cebdc99bc0af5d19aa955d Mon Sep 17 00:00:00 2001
From: RafaelGSS <[email protected]>
Date: Tue, 27 Aug 2024 18:00:12 -0300
Subject: [PATCH] src,loader,permission: throw on InternalWorker use

Previously this PR it was expected that InternalWorker
usage doesn't require the --allow-worker when the permission
model is enabled. This, however, exposes a vulnerability
whenever the instance gets accessed by the user. For example
through diagnostics_channel.subscribe('worker_threads')

PR-URL: https://github.com/nodejs-private/node-private/pull/652
Refs: https://hackerone.com/reports/2575105
CVE-ID: CVE-2025-23083
---
src/node_worker.cc | 6 ++----
test/es-module/test-esm-loader-hooks.mjs | 8 ++++----
.../test-permission-dc-worker-threads.js | 19 +++++++++++++++++++
3 files changed, 25 insertions(+), 8 deletions(-)
create mode 100644 test/parallel/test-permission-dc-worker-threads.js

diff --git a/src/node_worker.cc b/src/node_worker.cc
index 196eb3bc..31268115 100644
--- a/src/node_worker.cc
+++ b/src/node_worker.cc
@@ -484,12 +484,10 @@ Worker::~Worker() {

void Worker::New(const FunctionCallbackInfo<Value>& args) {
Environment* env = Environment::GetCurrent(args);
+ THROW_IF_INSUFFICIENT_PERMISSIONS(
+ env, permission::PermissionScope::kWorkerThreads, "");
auto is_internal = args[5];
CHECK(is_internal->IsBoolean());
- if (is_internal->IsFalse()) {
- THROW_IF_INSUFFICIENT_PERMISSIONS(
- env, permission::PermissionScope::kWorkerThreads, "");
- }
Isolate* isolate = args.GetIsolate();

CHECK(args.IsConstructCall());
diff --git a/test/es-module/test-esm-loader-hooks.mjs b/test/es-module/test-esm-loader-hooks.mjs
index 8e616c0d..225ab26a 100644
--- a/test/es-module/test-esm-loader-hooks.mjs
+++ b/test/es-module/test-esm-loader-hooks.mjs
@@ -154,7 +154,7 @@ describe('Loader hooks', { concurrency: true }, () => {
});
});

- it('should work without worker permission', async () => {
+ it('should not work without worker permission', async () => {
const { code, signal, stdout, stderr } = await spawnPromisified(execPath, [
'--no-warnings',
'--experimental-permission',
@@ -165,9 +165,9 @@ describe('Loader hooks', { concurrency: true }, () => {
fixtures.path('es-modules/esm-top-level-await.mjs'),
]);

- assert.strictEqual(stderr, '');
- assert.match(stdout, /^1\r?\n2\r?\n$/);
- assert.strictEqual(code, 0);
+ assert.match(stderr, /Error: Access to this API has been restricted/);
+ assert.strictEqual(stdout, '');
+ assert.strictEqual(code, 1);
assert.strictEqual(signal, null);
});

diff --git a/test/parallel/test-permission-dc-worker-threads.js b/test/parallel/test-permission-dc-worker-threads.js
new file mode 100644
index 00000000..73cbf029
--- /dev/null
+++ b/test/parallel/test-permission-dc-worker-threads.js
@@ -0,0 +1,19 @@
+// Flags: --experimental-permission --allow-fs-read=* --experimental-test-module-mocks
+'use strict';
+
+const common = require('../common');
+const assert = require('node:assert');
+
+{
+ const diagnostics_channel = require('node:diagnostics_channel');
+ diagnostics_channel.subscribe('worker_threads', common.mustNotCall());
+ const { mock } = require('node:test');
+
+ // Module mocking should throw instead of posting to worker_threads dc
+ assert.throws(() => {
+ mock.module('node:path');
+ }, common.expectsError({
+ code: 'ERR_ACCESS_DENIED',
+ permission: 'WorkerThreads',
+ }));
+}
--
2.25.1

6 changes: 5 additions & 1 deletion SPECS/nodejs/nodejs.spec
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Name: nodejs
# WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
# The version of NPM can be found inside the sources under 'deps/npm/package.json'.
Version: 20.14.0
Release: 3%{?dist}
Release: 4%{?dist}
License: BSD AND MIT AND Public Domain AND NAIST-2003 AND Artistic-2.0
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -18,6 +18,7 @@ Source0: https://nodejs.org/download/release/v%{version}/node-v%{version}
Patch0: disable-tlsv1-tlsv1-1.patch
Patch1: CVE-2019-10906.patch
Patch2: CVE-2024-21538.patch
Patch3: CVE-2025-23083.patch
BuildRequires: brotli-devel
BuildRequires: c-ares-devel
BuildRequires: coreutils >= 8.22
Expand Down Expand Up @@ -129,6 +130,9 @@ make cctest
%{_prefix}/lib/node_modules/*

%changelog
* Mon Jan 27 2025 Sumedh Sharma <[email protected]> - 20.14.0-4
- Patch CVE-2025-23083

* Tue Nov 19 2024 Bala <[email protected]> - 20.14.0-3
- Patch CVE-2024-21538

Expand Down
Loading