CVE-2025-55131

EUVD-2026-3331

20.01.2026, 21:16

A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.

Classic Buffer Overflow

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.1 HIGH	NETWORK	HIGH	LOW	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 12%

Debian Releases

Debian Product

Codename

nodejs

bookworm	vulnerable
bookworm (security)	18.20.4+dfsg-1~deb12u2 fixed
bullseye	12.22.12~dfsg-1~deb11u4 fixed
bullseye (security)	12.22.12~dfsg-1~deb11u8 fixed
forky	24.15.0+dfsg+~cs24.12.2-1 fixed
sid	24.15.0+dfsg+~cs24.12.2-1 fixed
trixie	20.19.2+dfsg-1+deb13u2 fixed
trixie (security)	20.19.2+dfsg-1+deb13u2 fixed

openSUSE / SLES Releases

openSUSE Product

Release

nodejs20

suse enterprise server 15 SP5	20.20.0-150500.11.24.1 fixed
suse enterprise server 15 SP6	20.20.0-150600.3.15.1 fixed

nodejs20-devel

suse enterprise server 15 SP5	20.20.0-150500.11.24.1 fixed
suse enterprise server 15 SP6	20.20.0-150600.3.15.1 fixed

nodejs20-docs

suse enterprise server 15 SP5	20.20.0-150500.11.24.1 fixed
suse enterprise server 15 SP6	20.20.0-150600.3.15.1 fixed

nodejs22

suse enterprise sap 15 SP7	22.22.0-150700.3.6.1 fixed
suse enterprise server 15 SP6	22.22.0-150600.13.12.1 fixed
suse enterprise server 15 SP7	22.22.0-150700.3.6.1 fixed

nodejs22-devel

suse enterprise sap 15 SP7	22.22.0-150700.3.6.1 fixed
suse enterprise server 15 SP6	22.22.0-150600.13.12.1 fixed
suse enterprise server 15 SP7	22.22.0-150700.3.6.1 fixed

nodejs22-docs

suse enterprise sap 15 SP7	22.22.0-150700.3.6.1 fixed
suse enterprise server 15 SP6	22.22.0-150600.13.12.1 fixed
suse enterprise server 15 SP7	22.22.0-150700.3.6.1 fixed

npm20

suse enterprise server 15 SP5	20.20.0-150500.11.24.1 fixed
suse enterprise server 15 SP6	20.20.0-150600.3.15.1 fixed

npm22

suse enterprise sap 15 SP7	22.22.0-150700.3.6.1 fixed
suse enterprise server 15 SP6	22.22.0-150600.13.12.1 fixed
suse enterprise server 15 SP7	22.22.0-150700.3.6.1 fixed

Common Weakness Enumeration

CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

Vulnerability Media Exposure

[GERMAN] IBM App Connect Enterprise: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in IBM App Connect Enterprise ausnutzen, um Sicherheitsvorkehrungen zu umgehen, um einen Denial of Service Angriff durchzuführen, um Informationen offenzulegen, um Dateien zu manipulieren, um einen Cross-Site Scripting Angriff durchzuführen, um einen SQL-Injection Angriff durchzuführen, und um beliebigen Programmcode auszuführen.
Published: 2026-04-07T22:00:00+00:00

References

https://nodejs.org/en/blog/vulnerability/december-2025-security-releases