CVE-2025-23165

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-23165

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-23165.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-23165

Aliases

Downstream

ALPINE-CVE-2025-23165

BELL-CVE-2025-23165

DEBIAN-CVE-2025-23165

ECHO-b3ee-7ea8-f120

MINI-655w-5rhh-237h

MINI-c52x-7wfp-m9f3

MINI-rhc5-hq55-8g57

OESA-2025-1533

OESA-2025-1534

RHSA-2025:8467

RHSA-2025:8468

RHSA-2025:8493

RHSA-2025:8506

RHSA-2025:8514

RLSA-2025:8467

RLSA-2025:8468

RLSA-2025:8493

RLSA-2025:8506

RLSA-2025:8514

SUSE-SU-2025:01878-1

SUSE-SU-2025:01879-1

UBUNTU-CVE-2025-23165

Related

Published

2025-05-19T02:15:17Z

Modified

2025-08-29T20:00:21Z

Summary

[none]

Details

In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uv_fs_s.file: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service.

Impact: * This vulnerability affects APIs relying on ReadFileUtf8 on Node.js release lines: v20 and v22.

References

https://nodejs.org/en/blog/vulnerability/may-2025-security-releases

Affected packages