CVE-2025-55131
Unknown Unknown - Not Provided
Uninitialized Memory Exposure in Node.js Buffer Allocation

Publication date: 2026-01-20

Last updated on: 2026-02-26

Assigner: HackerOne

Description
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-02-26
Generated
2026-05-07
AI Q&A
2026-01-20
EPSS Evaluated
2026-05-05
NVD
CVE-2025-55131
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nodejs node.js *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a flaw in Node.js's buffer allocation logic when using the vm module with the timeout option. Under certain timing conditions, buffers allocated with Buffer.alloc and other TypedArray instances like Uint8Array may contain leftover data from previous operations. This can expose uninitialized memory, potentially leaking in-process secrets such as tokens or passwords, or causing data corruption. Exploitation usually requires precise timing or in-process code execution, but it can become remotely exploitable if untrusted input influences workload and timeouts.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability can lead to the exposure of in-process secrets such as tokens or passwords due to uninitialized memory being leaked. Such exposure of sensitive data could result in non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information. Therefore, organizations using affected Node.js versions might face compliance risks if this vulnerability is exploited.


How can this vulnerability impact me? :

The vulnerability can lead to the exposure of sensitive in-process data such as tokens or passwords, compromising confidentiality. It can also cause data corruption, impacting data integrity. Because exploitation may be remotely possible under certain conditions, it poses a risk of unauthorized data disclosure and integrity loss.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart