CVE-2025-23165 | THREATINT

Description

In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.

Reserved 2025-01-12 | Published 2025-05-19 | Updated 2025-05-28 | Assigner hackerone

LOW: 3.7CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Product status

Default status

unaffected

4.0 before 4.*

affected

5.0 before 5.*

affected

6.0 before 6.*

affected

7.0 before 7.*

affected

8.0 before 8.*

affected

9.0 before 9.*

affected

10.0 before 10.*

affected

11.0 before 11.*

affected

12.0 before 12.*

affected

13.0 before 13.*

affected

14.0 before 14.*

affected

15.0 before 15.*

affected

16.0 before 16.*

affected

17.0 before 17.*

affected

18.0 before 18.*

affected

19.0 before 19.*

affected

20.0

affected

22.0

affected

21.0 before 21.*

affected

References

nodejs.org/en/blog/vulnerability/may-2025-security-releases

cve.org (CVE-2025-23165)

nvd.nist.gov (CVE-2025-23165)

Download JSON