The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and public Diffie-Hellman key values". The documented behavior is very different from the actual behavior, and this difference could easily lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security, implications are consequently broad.
Conclusion & alert: CVE-2023-30590 is rated Moderate Risk (54.8/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.46%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-21 | 1.22% | 1.46% | +0.25% |
| 2 | 2026-06-15 | 0.95% | 1.22% | +0.26% |
| 3 | 2026-03-25 | — | 0.95% | — |
Full EPSS history (35 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2023-30590: 1 source package rows (nodejs); 32 state rows across 5 repos (3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 0, open 32. | https://security.alpinelinux.org/vuln/CVE-2023-30590 |
debian
|
not yet assigned | CVE-2023-30590 not yet assigned priority: Debian including 1 source packages (nodejs), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2023-30590 |
gentoo
|
low | CVE-2023-30590: 1 GLSA(s) (202405-29), 1 atom(s) (net-libs/nodejs); latest impact low. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2023-30590 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2023-30590 |
suse
|
medium | CVE-2023-30590 severity moderate: SUSE including 58 source package names (16-18.3:nodejs16-16.20.1-150400.3.21.1, 16-18.3:npm16-16.20.1-150400.3.21.1, …), 217 product×package rows across 22 product lines (Container bci/nodejs, SUSE Enterprise Storage 7, … (22 product lines)): Fixed 216, Known Not Affected 1. | https://www.suse.com/security/cve/CVE-2023-30590/ |
ubuntu
|
medium | CVE-2023-30590 medium priority: Ubuntu including 1 source packages (nodejs), 10 status rows across 10 suites (bionic, focal, jammy, kinetic, lunar, mantic, noble, trusty, upstream, xenial): released 6, ignored 2, needs-triage 1, not-affected 1. | https://ubuntu.com/security/CVE-2023-30590 |