UBUNTU-CVE-2025-23165

Source
https://ubuntu.com/security/CVE-2025-23165
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-23165.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-23165
Upstream
Published
2025-05-19T02:15:00Z
Modified
2025-07-14T06:59:45.135833Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
  • - medium
Summary
[none]
Details

In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uv_fs_s.file: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on ReadFileUtf8 on Node.js release lines: v20 and v22.

References

Affected packages

Ubuntu:25.04 / nodejs

Package

Name
nodejs
Purl
pkg:deb/ubuntu/nodejs@20.18.1+dfsg-1ubuntu2?arch=source&distro=plucky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

20.*

20.16.0+dfsg-1ubuntu1
20.17.0+dfsg-2ubuntu1
20.18.0+dfsg-2
20.18.1+dfsg-1ubuntu1
20.18.1+dfsg-1ubuntu2