VDB
DEBIAN-CVE-2025-55131
DEBIAN-CVE-2025-55131
PUBLISHED
CVSS 7.099999904632568 HIGH
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.
Risk Scores
CVSS v3.0
7.099999904632568
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:11 | nodejs | 20.19.0+dfsg1-1, 0, 12.21.0~dfsg-5 |
| Debian:13 | nodejs | 20.19.2+dfsg, 0, * |
| Debian:14 | nodejs | 22.21.1+dfsg+~cs22.19.0-2, 22.21.1+dfsg+~cs22.19.0-3, 22.21.1+dfsg+~cs22.19.0-4 |
| Debian:12 | nodejs | 20.19.5+dfsg+~cs20.19.12-3, 20.19.5+dfsg+~cs20.19.12-4, 20.19.5+dfsg+~cs20.19.24-1 |
Timeline
- Jan 20, 2026 CVE Published
- May 14, 2026 CVE Updated