CVE-2025-23165

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-23165
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-23165.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-23165
Aliases
Related
Published
2025-05-19T02:15:17Z
Modified
2025-06-04T05:01:05.729087Z
Downstream
Summary
[none]
Details

In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uv_fs_s.file: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service.

Impact: * This vulnerability affects APIs relying on ReadFileUtf8 on Node.js release lines: v20 and v22.

References

Affected packages

Alpine:v3.21 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
22.15.1-r0

Affected versions

22.*

22.11.0-r0
22.11.0-r1
22.13.1-r0

Debian:12 / nodejs

Package

Name
nodejs
Purl
pkg:deb/debian/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

18.*

18.13.0+dfsg1-1
18.13.0+dfsg1-1.1
18.19.0+dfsg-1
18.19.0+dfsg-2
18.19.0+dfsg-3
18.19.0+dfsg-4
18.19.0+dfsg-5
18.19.0+dfsg-6~deb12u1
18.19.0+dfsg-6~deb12u2
18.19.0+dfsg-6
18.19.1+dfsg-1
18.19.1+dfsg-2
18.19.1+dfsg-3
18.19.1+dfsg-3.1
18.19.1+dfsg-4
18.19.1+dfsg-6
18.20.1+dfsg-1
18.20.1+dfsg-2
18.20.1+dfsg-3
18.20.1+dfsg-4

20.*

20.10.0+dfsg-1
20.12.2+dfsg-1
20.13.0+dfsg-1
20.13.1+dfsg-1
20.13.1+dfsg-2
20.14.0+dfsg-1
20.14.0+dfsg-2
20.14.0+dfsg-3
20.15.0+dfsg-1
20.15.1+dfsg-1
20.16.0+dfsg-1
20.17.0+dfsg-1
20.17.0+dfsg-2
20.18.0+dfsg-1
20.18.0+dfsg-2
20.18.1+dfsg-1
20.18.1+dfsg-2
20.18.2+dfsg-1
20.18.2+dfsg-2
20.18.2+dfsg-3
20.18.2+dfsg-4
20.18.3+dfsg-1
20.19.0+dfsg-1
20.19.0+dfsg-2
20.19.0+dfsg1-1
20.19.2+dfsg-1

22.*

22.12.0+dfsg-1
22.12.0+dfsg-2
22.12.0+dfsg-3
22.14.0+dfsg-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / nodejs

Package

Name
nodejs
Purl
pkg:deb/debian/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
20.19.2+dfsg-1

Affected versions

18.*

18.13.0+dfsg1-1
18.13.0+dfsg1-1.1
18.19.0+dfsg-1
18.19.0+dfsg-2
18.19.0+dfsg-3
18.19.0+dfsg-4
18.19.0+dfsg-5
18.19.0+dfsg-6~deb12u1
18.19.0+dfsg-6~deb12u2
18.19.0+dfsg-6
18.19.1+dfsg-1
18.19.1+dfsg-2
18.19.1+dfsg-3
18.19.1+dfsg-3.1
18.19.1+dfsg-4
18.19.1+dfsg-6
18.20.1+dfsg-1
18.20.1+dfsg-2
18.20.1+dfsg-3
18.20.1+dfsg-4

20.*

20.10.0+dfsg-1
20.12.2+dfsg-1
20.13.0+dfsg-1
20.13.1+dfsg-1
20.13.1+dfsg-2
20.14.0+dfsg-1
20.14.0+dfsg-2
20.14.0+dfsg-3
20.15.0+dfsg-1
20.15.1+dfsg-1
20.16.0+dfsg-1
20.17.0+dfsg-1
20.17.0+dfsg-2
20.18.0+dfsg-1
20.18.0+dfsg-2
20.18.1+dfsg-1
20.18.1+dfsg-2
20.18.2+dfsg-1
20.18.2+dfsg-2
20.18.2+dfsg-3
20.18.2+dfsg-4
20.18.3+dfsg-1
20.19.0+dfsg-1
20.19.0+dfsg-2
20.19.0+dfsg1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}