ALPINE-CVE-2025-55131
- Source
- https://security.alpinelinux.org/vuln/CVE-2025-55131
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2025-55131.json
- JSON Data
- https://api.osv.dev/v1/vulns/ALPINE-CVE-2025-55131
- Upstream
- Published
- 2026-01-20T21:16:03.320Z
- Modified
- 2026-01-23T17:16:03.107638Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
- Summary
- [none]
- Details
-
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the
vmmodule with the timeout option. Under specific timing conditions, buffers allocated withBuffer.allocand otherTypedArrayinstances likeUint8Arraymay contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. - References
Affected packages
Alpine:v3.22 / nodejs
Package
- Name
- nodejs
- Purl
- pkg:apk/alpine/nodejs?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed22.22.0-r0
Alpine:v3.23 / nodejs
Package
- Name
- nodejs
- Purl
- pkg:apk/alpine/nodejs?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed24.13.0-r0