CVE-2025-23122
First published: Mon May 19 2025(Updated: )
In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Node.js | >=20.0.0<=20.9999.9999>=22.0.0<=22.9999.9999 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2025-23122?
CVE-2025-23122 is classified as a high severity vulnerability due to the potential for unbounded memory leaks.
How do I fix CVE-2025-23122?
To fix CVE-2025-23122, upgrade to a patched version of Node.js that is beyond 20.9999.9999 or 22.9999.9999.
What impact does CVE-2025-23122 have on applications?
CVE-2025-23122 can lead to resource exhaustion and crashes due to continuous memory leaks from repeated use of the affected functionality.
Which versions of Node.js are affected by CVE-2025-23122?
CVE-2025-23122 affects Node.js versions from 20.0.0 to 20.9999.9999 and from 22.0.0 to 22.9999.9999.
Is CVE-2025-23122 a local or remote vulnerability?
CVE-2025-23122 can be exploited by local users who have the capability to run Node.js applications that utilize the vulnerable `ReadFileUtf8` functionality.
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/author
- agent/references
- agent/source
- agent/type
- agent/first-publish-date
- agent/description
- agent/severity
- agent/event
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- vendor/node.js
- canonical/node.js