Memory Leak Vulnerability in Node.js Affecting Multiple Versions
CVE-2025-23122

3.7LOW

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 19 May 2025

What is CVE-2025-23122?

A memory leak occurs in Node.js due to the internal binding in the ReadFileUtf8 function, where a corrupted pointer leads to an allocation of a UTF-16 path buffer that is incorrectly overwritten when setting the file descriptor. This flaw results in an unrecoverable memory leak on each invocation of the function. As the function gets used repeatedly, it can cause unbounded memory growth, severely impacting application performance and leading to potential service disruptions.

Affected Version(s)

node 20.19.1

node 22.15.0

References

https://nodejs.org/en/blog/vulnerability/may-2025-securit...

CVSS V3.0

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2025
Vulnerability Reserved
Jan 11, 2025

Nodejs

What is CVE-2025-23122?

Affected Version(s)

References

CVSS V3.0

Timeline