VDB
ALPINE-CVE-2025-55131
ALPINE-CVE-2025-55131
PUBLISHED
CVSS 7.099999904632568 HIGH
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.
Risk Scores
CVSS v3.0
7.099999904632568
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.22 | nodejs | 0, 22.11.0-r0, 22.11.0-r1 |
| Alpine:v3.23 | nodejs | 24.11.1-r0, 22.11.0-r2, 22.19.0-r3 |
| Alpine:v3.21 | nodejs | 22.13.1-r0, 0, 22.11.0-r0 |
Timeline
- Jan 20, 2026 CVE Published
- Apr 5, 2026 CVE Updated
- Apr 30, 2026 Distribution Patch