CVE-2025-55131

Description

A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

No configuration data available.

Node.js < 20.x

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

暂无公开的PoC代码

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-55131
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-55131
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-55131/
[4] VulDB https://vuldb.com/cve/CVE-2025-55131
[5] https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-55131", "sourceIdentifier": "[email protected]", "published": "2026-01-20T21:16:03.320", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact."}, {"lang": "es", "value": "Una falla en la lógica de asignación de búferes de Node.js puede exponer memoria no inicializada cuando las asignaciones son interrumpidas, al usar el módulo 'vm' con la opción de tiempo de espera. Bajo condiciones de tiempo específicas, los búferes asignados con 'Buffer.alloc' y otras instancias de 'TypedArray' como 'Uint8Array' pueden contener datos residuales de operaciones anteriores, permitiendo que secretos en proceso como tokens o contraseñas se filtren o causando corrupción de datos. Si bien la explotación normalmente requiere una sincronización precisa o la ejecución de código en proceso, puede volverse explotable de forma remota cuando una entrada no confiable influye en la carga de trabajo y los tiempos de espera, lo que lleva a un potencial impacto en la confidencialidad y la integridad."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 5.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases", "source": "[email protected]"}]}}