cbcvebase.
CVE-2025-55131
published 2026-01-20

CVE-2025-55131: A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout…

high7.1CVSS 3.0
AVNACHPRLUINSUCHIHAL
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.

Affected

22 ranges
VendorProductVersion rangeFixed in
debiannodejs< nodejs 22.22.0+dfsg+~cs22.19.6-1 (forky)nodejs 22.22.0+dfsg+~cs22.19.6-1 (forky)
nodejsnode>= 10.0 < 10.*10.*
nodejsnode>= 11.0 < 11.*11.*
nodejsnode>= 12.0 < 12.*12.*
nodejsnode>= 13.0 < 13.*13.*
nodejsnode>= 14.0 < 14.*14.*
nodejsnode>= 15.0 < 15.*15.*
nodejsnode>= 16.0 < 16.*16.*
nodejsnode>= 17.0 < 17.*17.*
nodejsnode>= 18.0 < 18.*18.*
nodejsnode20.19.6 – 20.19.6
nodejsnode22.21.1 – 22.21.1
nodejsnode24.12.0 – 24.12.0
nodejsnode25.2.1 – 25.2.1
nodejsnode>= 4.0 < 4.*4.*
nodejsnode>= 5.0 < 5.*5.*
nodejsnode>= 6.0 < 6.*6.*
nodejsnode>= 7.0 < 7.*7.*
nodejsnode>= 8.0 < 8.*8.*
nodejsnode>= 9.0 < 9.*9.*
nodejsnodejs>= 0 < 20.19.2+dfsg-1+deb13u120.19.2+dfsg-1+deb13u1
nodejsnodejs>= 0 < 22.22.0+dfsg+~cs22.19.6-122.22.0+dfsg+~cs22.19.6-1

CVSS provenance

nvdv3.07.1HIGHCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
osv7.1HIGH