FKIE_CVE-2025-55131

Vulnerability from fkie_nvd - Published: 2026-01-20 21:16 - Updated: 2026-04-15 00:35
Severity ?
7.1 (High) - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Summary
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.
References
support@hackerone.comhttps://nodejs.org/en/blog/vulnerability/december-2025-security-releases
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw in Node.js\u0027s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact."
    },
    {
      "lang": "es",
      "value": "Una falla en la l\u00f3gica de asignaci\u00f3n de b\u00faferes de Node.js puede exponer memoria no inicializada cuando las asignaciones son interrumpidas, al usar el m\u00f3dulo \u0027vm\u0027 con la opci\u00f3n de tiempo de espera. Bajo condiciones de tiempo espec\u00edficas, los b\u00faferes asignados con \u0027Buffer.alloc\u0027 y otras instancias de \u0027TypedArray\u0027 como \u0027Uint8Array\u0027 pueden contener datos residuales de operaciones anteriores, permitiendo que secretos en proceso como tokens o contrase\u00f1as se filtren o causando corrupci\u00f3n de datos. Si bien la explotaci\u00f3n normalmente requiere una sincronizaci\u00f3n precisa o la ejecuci\u00f3n de c\u00f3digo en proceso, puede volverse explotable de forma remota cuando una entrada no confiable influye en la carga de trabajo y los tiempos de espera, lo que lleva a un potencial impacto en la confidencialidad y la integridad."
    }
  ],
  "id": "CVE-2025-55131",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
          "version": "3.0"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.5,
        "source": "support@hackerone.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-20T21:16:03.320",
  "references": [
    {
      "source": "support@hackerone.com",
      "url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
    }
  ],
  "sourceIdentifier": "support@hackerone.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-120"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.