UBUNTU-CVE-2025-23165

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-23165

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-23165.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-23165

Related

CVE-2025-23165

Published

2025-05-19T02:15:00Z

Modified

2025-06-03T09:01:11Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

[none]

Details

In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uv_fs_s.file: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on ReadFileUtf8 on Node.js release lines: v20 and v22.

References

Affected packages

Ubuntu:24.10 / nodejs

Package

Name: nodejs
Purl: pkg:deb/ubuntu/nodejs@20.16.0+dfsg-1ubuntu1?arch=source&distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

18.*

18.19.1+dfsg-6ubuntu5

18.20.1+dfsg-4ubuntu4

20.*

20.13.1+dfsg-2ubuntu6

20.14.0+dfsg-1ubuntu1

20.14.0+dfsg-2ubuntu1

20.14.0+dfsg-3ubuntu1

20.15.0+dfsg-1ubuntu3

20.16.0+dfsg-1ubuntu1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:25.04 / nodejs

Package

Name: nodejs
Purl: pkg:deb/ubuntu/nodejs@20.18.1+dfsg-1ubuntu2?arch=source&distro=plucky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.16.0+dfsg-1ubuntu1

20.17.0+dfsg-2ubuntu1

20.18.0+dfsg-2

20.18.1+dfsg-1ubuntu1

20.18.1+dfsg-1ubuntu2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}