AZL-61913

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-61913.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-61913

Upstream

CVE-2025-23165

Published

2025-05-19T02:15:17Z

Modified

2026-04-21T04:31:53.202559Z

Summary

CVE-2025-23165 affecting package nodejs for versions less than 20.14.0-9

Details

In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uv_fs_s.file: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service.

Impact: * This vulnerability affects APIs relying on ReadFileUtf8 on Node.js release lines: v20 and v22.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-23165

Affected packages

Azure Linux:3 / nodejs

Package

Name: nodejs
Purl: pkg:rpm/azure-linux/nodejs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.14.0-9

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-61913.json"