[AUTO-CHERRYPICK] Patch nodejs for CVE-2025-23083 - branch 3.0-dev (#12119)

CBL-Mariner-Bot · Sumynwa · web-flow · commit 16cb2ad3579c · 2025-01-29T15:30:04.000-05:00
Co-authored-by: Sumedh Alok Sharma &lt;sumsharma@microsoft.com&gt;
diff --git a/SPECS/nodejs/CVE-2025-23083.patch b/SPECS/nodejs/CVE-2025-23083.patch
@@ -0,0 +1,94 @@
+From 389f239a282de04651cebdc99bc0af5d19aa955d Mon Sep 17 00:00:00 2001
+From: RafaelGSS <rafael.nunu@hotmail.com>
+Date: Tue, 27 Aug 2024 18:00:12 -0300
+Subject: [PATCH] src,loader,permission: throw on InternalWorker use
+
+Previously this PR it was expected that InternalWorker
+usage doesn't require the --allow-worker when the permission
+model is enabled. This, however, exposes a vulnerability
+whenever the instance gets accessed by the user. For example
+through diagnostics_channel.subscribe('worker_threads')
+
+PR-URL: https://github.com/nodejs-private/node-private/pull/652
+Refs: https://hackerone.com/reports/2575105
+CVE-ID: CVE-2025-23083
+---
+ src/node_worker.cc                            |  6 ++----
+ test/es-module/test-esm-loader-hooks.mjs      |  8 ++++----
+ .../test-permission-dc-worker-threads.js      | 19 +++++++++++++++++++
+ 3 files changed, 25 insertions(+), 8 deletions(-)
+ create mode 100644 test/parallel/test-permission-dc-worker-threads.js
+
+diff --git a/src/node_worker.cc b/src/node_worker.cc
+index 196eb3bc..31268115 100644
+--- a/src/node_worker.cc
++++ b/src/node_worker.cc
+@@ -484,12 +484,10 @@ Worker::~Worker() {
+ 
+ void Worker::New(const FunctionCallbackInfo<Value>& args) {
+   Environment* env = Environment::GetCurrent(args);
++  THROW_IF_INSUFFICIENT_PERMISSIONS(
++      env, permission::PermissionScope::kWorkerThreads, "");
+   auto is_internal = args[5];
+   CHECK(is_internal->IsBoolean());
+-  if (is_internal->IsFalse()) {
+-    THROW_IF_INSUFFICIENT_PERMISSIONS(
+-        env, permission::PermissionScope::kWorkerThreads, "");
+-  }
+   Isolate* isolate = args.GetIsolate();
+ 
+   CHECK(args.IsConstructCall());
+diff --git a/test/es-module/test-esm-loader-hooks.mjs b/test/es-module/test-esm-loader-hooks.mjs
+index 8e616c0d..225ab26a 100644
+--- a/test/es-module/test-esm-loader-hooks.mjs
++++ b/test/es-module/test-esm-loader-hooks.mjs
+@@ -154,7 +154,7 @@ describe('Loader hooks', { concurrency: true }, () => {
+     });
+   });
+ 
+-  it('should work without worker permission', async () => {
++  it('should not work without worker permission', async () => {
+     const { code, signal, stdout, stderr } = await spawnPromisified(execPath, [
+       '--no-warnings',
+       '--experimental-permission',
+@@ -165,9 +165,9 @@ describe('Loader hooks', { concurrency: true }, () => {
+       fixtures.path('es-modules/esm-top-level-await.mjs'),
+     ]);
+ 
+-    assert.strictEqual(stderr, '');
+-    assert.match(stdout, /^1\r?\n2\r?\n$/);
+-    assert.strictEqual(code, 0);
++    assert.match(stderr, /Error: Access to this API has been restricted/);
++    assert.strictEqual(stdout, '');
++    assert.strictEqual(code, 1);
+     assert.strictEqual(signal, null);
+   });
+ 
+diff --git a/test/parallel/test-permission-dc-worker-threads.js b/test/parallel/test-permission-dc-worker-threads.js
+new file mode 100644
+index 00000000..73cbf029
+--- /dev/null
++++ b/test/parallel/test-permission-dc-worker-threads.js
+@@ -0,0 +1,19 @@
++// Flags: --experimental-permission --allow-fs-read=* --experimental-test-module-mocks
++'use strict';
++
++const common = require('../common');
++const assert = require('node:assert');
++
++{
++  const diagnostics_channel = require('node:diagnostics_channel');
++  diagnostics_channel.subscribe('worker_threads', common.mustNotCall());
++  const { mock } = require('node:test');
++
++  // Module mocking should throw instead of posting to worker_threads dc
++  assert.throws(() => {
++    mock.module('node:path');
++  }, common.expectsError({
++    code: 'ERR_ACCESS_DENIED',
++    permission: 'WorkerThreads',
++  }));
++}
+-- 
+2.25.1
+
diff --git a/SPECS/nodejs/nodejs.spec b/SPECS/nodejs/nodejs.spec
@@ -5,7 +5,7 @@ Name:           nodejs
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        20.14.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        BSD AND MIT AND Public Domain AND NAIST-2003 AND Artistic-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -18,6 +18,7 @@ Source0:        https://nodejs.org/download/release/v%{version}/node-v%{version}
 Patch0:         disable-tlsv1-tlsv1-1.patch
 Patch1:         CVE-2019-10906.patch
 Patch2:         CVE-2024-21538.patch
+Patch3:         CVE-2025-23083.patch
 BuildRequires:  brotli-devel
 BuildRequires:  c-ares-devel
 BuildRequires:  coreutils >= 8.22
@@ -129,6 +130,9 @@ make cctest
 %{_prefix}/lib/node_modules/*
 
 %changelog
+* Mon Jan 27 2025 Sumedh Sharma <sumsharma@microsoft.com> - 20.14.0-4
+- Patch CVE-2025-23083
+
 * Tue Nov 19 2024 Bala <balakumaran.kannan@microsoft.com> - 20.14.0-3
 - Patch CVE-2024-21538
 
