UBUNTU-CVE-2025-23165
- Source
- https://ubuntu.com/security/CVE-2025-23165
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-23165.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-23165
- Upstream
- Published
- 2025-05-19T02:15:00Z
- Modified
- 2025-07-14T06:59:45.135833Z
- Severity
-
- 3.7 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- - medium
- Summary
- [none]
- Details
-
In Node.js, the
ReadFileUtf8internal binding leaks memory due to a corrupted pointer inuv_fs_s.file: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying onReadFileUtf8on Node.js release lines: v20 and v22. - References
-
- https://ubuntu.com/security/CVE-2025-23165
- https://www.cve.org/CVERecord?id=CVE-2025-23165
- https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#corrupted-pointer-in-nodefsreadfileutf8const-functioncallbackinfovalue-args-when-args0-is-a-string-cve-2025-23165---low
- https://github.com/nodejs/node/commit/9e13bf0a81e15c7b3a9f1826dccbcea991d7e63a