CVE-2025-23165

CWE-401 — Memory Leak7 documents6 sources

Severity

3.7LOW

EPSS

0.4%

top 42.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node

Timeline

PublishedMay 19

Description

In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 2.2 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5nodejs/node4.0 — 4.*+18

▶Alpinenodejs< 22.15.1-r0

▶Debiannodejs< 20.19.2+dfsg-1+1

🔴Vulnerability Details

CVEList

CVE-2025-23165: In Node↗2025-05-19

▶

GHSA

GHSA-gcf6-vgcr-474f: In Node↗2025-05-19

▶

OSV

CVE-2025-23165: In Node↗2025-05-19

▶

OSV

CVE-2025-23165: In Node↗2025-05-19

▶

📋Vendor Advisories

Red Hat

nodejs: Memory Leak in Node.js ReadFileUtf8 Binding Leading to DoS↗2025-05-19

▶

Debian

CVE-2025-23165: nodejs - In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted ...↗2025

▶