CVE-2025-55131
Deferred Deferred - Pending Action

Uninitialized Memory Exposure in Node.js Buffer Allocation

Vulnerability report for CVE-2025-55131, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-20

Last updated on: 2026-06-30

Assigner: HackerOne

Description

A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-20
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-01-21
EPSS Evaluated
2026-07-04
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nodejs node.js *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
CWE-497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability can lead to the exposure of in-process secrets such as tokens or passwords due to uninitialized memory being leaked. Such exposure of sensitive data could result in non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information. Therefore, organizations using affected Node.js versions might face compliance risks if this vulnerability is exploited.

Executive Summary

This vulnerability is a flaw in Node.js's buffer allocation logic when using the vm module with the timeout option. Under certain timing conditions, buffers allocated with Buffer.alloc and other TypedArray instances like Uint8Array may contain leftover data from previous operations. This can expose uninitialized memory, potentially leaking in-process secrets such as tokens or passwords, or causing data corruption. Exploitation usually requires precise timing or in-process code execution, but it can become remotely exploitable if untrusted input influences workload and timeouts.

Impact Analysis

The vulnerability can lead to the exposure of sensitive in-process data such as tokens or passwords, compromising confidentiality. It can also cause data corruption, impacting data integrity. Because exploitation may be remotely possible under certain conditions, it poses a risk of unauthorized data disclosure and integrity loss.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-55131. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart