CVE-2025-23165 LOW

CVE-2025-23165

Vendor Nodejs
Product node
Published May 19, 2025
Last update May 28, 2025

CVSS base score

3.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.

Key dates

02Disclosure timeline

May 19, 2025 CVE published
May 28, 2025 Record updated