CVE-2025-55131
Unknown Unknown - Not Provided
Uninitialized Memory Exposure in Node.js Buffer Allocation

Publication date: 2026-01-20

Last updated on: 2026-02-26

Assigner: HackerOne

Description
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-14
NVD
CVE-2025-55131
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nodejs node.js *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability can lead to the exposure of in-process secrets such as tokens or passwords due to uninitialized memory being leaked. Such exposure of sensitive data could result in non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information. Therefore, organizations using affected Node.js versions might face compliance risks if this vulnerability is exploited.

Executive Summary

This vulnerability is a flaw in Node.js's buffer allocation logic when using the vm module with the timeout option. Under certain timing conditions, buffers allocated with Buffer.alloc and other TypedArray instances like Uint8Array may contain leftover data from previous operations. This can expose uninitialized memory, potentially leaking in-process secrets such as tokens or passwords, or causing data corruption. Exploitation usually requires precise timing or in-process code execution, but it can become remotely exploitable if untrusted input influences workload and timeouts.

Impact Analysis

The vulnerability can lead to the exposure of sensitive in-process data such as tokens or passwords, compromising confidentiality. It can also cause data corruption, impacting data integrity. Because exploitation may be remotely possible under certain conditions, it poses a risk of unauthorized data disclosure and integrity loss.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-55131. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart