Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-23165

Опубликовано: 19 мая 2025
Источник: redhat
CVSS3: 3.7
EPSS Низкий

Описание

In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uv_fs_s.file: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact:

  • This vulnerability affects APIs relying on ReadFileUtf8 on Node.js release lines: v20 and v22.

    A flaw was found in the ReadFileUtf8 internal binding of Node.js. This vulnerability can allow an attacker to cause an application denial of service via repeated file read operations that trigger an unrecoverable memory leak due to a corrupted pointer in the underlying file system binding.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-401
https://bugzilla.redhat.com/show_bug.cgi?id=2367162nodejs: Memory Leak in Node.js ReadFileUtf8 Binding Leading to DoS

EPSS

Процентиль: 20%
0.00064
Низкий

3.7 Low

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-23165

CVSS3: 3.7
ubuntu
3 месяца назад

In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.

nvd логотип

CVE-2025-23165

CVSS3: 3.7
nvd
3 месяца назад

In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.

debian логотип

CVE-2025-23165

CVSS3: 3.7
debian
3 месяца назад

In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a ...

github логотип

GHSA-gcf6-vgcr-474f

CVSS3: 3.7
github
3 месяца назад

In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.

suse-cvrf логотип

SUSE-SU-2025:01879-1

suse-cvrf
около 2 месяцев назад

Security update for nodejs22

EPSS

Процентиль: 20%
0.00064
Низкий

3.7 Low

CVSS3