CVE-2025-55131 — Classic Buffer Overflow in Node

CWE-120 — Classic Buffer Overflow CWE-497 — Exposure of Sensitive System Information to an Unauthorized Control Sphere7 documents7 sources

Severity

7.1HIGHNVD

EPSS

0.0%

top 90.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node Nodejs

Timeline

PublishedJan 20

Description

A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code ex…

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:LExploitability: 1.6 | Impact: 5.5

Affected Packages2 packages

▶CVEListV5nodejs/node4.0 — 4.*+18

▶Debiannodejs/nodejs< 20.19.2+dfsg-1+deb13u1+1

🔴Vulnerability Details

GHSA

GHSA-9jwr-p39p-hwg2: A flaw in Node↗2026-01-20

▶

CVEList

CVE-2025-55131: A flaw in Node↗2026-01-20

▶

OSV

CVE-2025-55131: A flaw in Node↗2026-01-20

▶

📋Vendor Advisories

Red Hat

nodejs: Nodejs uninitialized memory exposure↗2026-01-20

▶

Debian

CVE-2025-55131: nodejs - A flaw in Node.js's buffer allocation logic can expose uninitialized memory when...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-55131 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶