CVE-2025-23165

Name
CVE-2025-23165
Description
In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.
NVD Severity
low
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
support@hackerone.com https://nodejs.org/en/blog/vulnerability/may-2025-security-releases

Match rules

CPE URI Source package Min version Max version
node >= 0 <= 20.19.1
node >= 0 <= 22.15.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nodejs 3.21-main 22.15.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed