- Description
- A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.
- Source
- support@hackerone.com
- NVD status
- Deferred
CVSS 3.0
- Type
- Secondary
- Base score
- 7.1
- Impact score
- 5.5
- Exploitability score
- 1.6
- Vector string
- CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
- Severity
- HIGH
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-120
- Hype score
- Not currently trending
Time to get excited about the latest Node.js security patches! 🚀 Covering versions 20.x–25.x, these updates fix High-severity buffer leaks (CVE-2025-55131) and harden the experimental Permission Model against symlink exploits. Essential resilience for production workloads!
@multiverso_info
19 Mar 2026
108 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ Vulnerabilidades en Node.js ❗ CVE-2025-59465 ❗ CVE-2025-55131 ❗ CVE-2025-55130 ➡️ Más info: https://t.co/f2f9WvQE7y https://t.co/4B6X02leVC
@CERTpy
20 Jan 2026
100 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
One week post-Node.js patch: My local environment is finally stable on v22.22.0. 🛡️ If you haven't upgraded yet, the Buffer.alloc vulnerability (CVE-2025-55131) is nasty. Don't risk it, update your runtimes today.
@ServBayDev
19 Jan 2026
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Node.js January 13, 2026 Security Releases https://t.co/AJE4YZ4bd1 CVE-2025-55131 Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled CVE-2025-55130 Bypass filesystem permissions using symlinks CVE-2025-59465 HTTP/2 server crashes with unhandled error &
@oss_security
15 Jan 2026
1677 Impressions
3 Retweets
15 Likes
6 Bookmarks
0 Replies
0 Quotes
🚨 Node.js Emergency Security Release Patches 7 Flaws Across Active Branches (20/22/24/25) Node.js shipped security updates (Jan 13, 2026) fixing 7 vulnerabilities, including high-severity bugs enabling uninitialized-memory data leaks (CVE-2025-55131), permission bypass via
@ThreatSynop
13 Jan 2026
87 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes