CVE-2025-55131

HIGH

Node.js 4.0-25.2.0 - Uninitialized Memory Exposure via Buffer Allocation Interruption

Title source: llm

Description

A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.

References (1)

Core 1

Core References

Various Sources

https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Scores

CVSS v3 7.1

EPSS 0.0098

EPSS Percentile 57.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-120

Status published

Products (19)

nodejs/node 10.0 - 10.*

nodejs/node 11.0 - 11.*

nodejs/node 12.0 - 12.*

nodejs/node 13.0 - 13.*

nodejs/node 14.0 - 14.*

nodejs/node 15.0 - 15.*

nodejs/node 16.0 - 16.*

nodejs/node 17.0 - 17.*

nodejs/node 18.0 - 18.*

nodejs/node 20.19.6

... and 9 more

Published Jan 20, 2026

Tracked Since Feb 18, 2026