CVE-2025-23165
nodejs: Memory Leak in Node.js ReadFileUtf8 Binding Leading to DoS
Severity Score
3.7
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track*
*SSVC
Descriptions
In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.
A flaw was found in the ReadFileUtf8 internal binding of Node.js. This vulnerability can allow an attacker to cause an application denial of service via repeated file read operations that trigger an unrecoverable memory leak due to a corrupted pointer in the underlying file system binding.
This update for nodejs20 fixes the following issues. Improper error handling in async cryptographic operations crashes process. Improper HTTP header block termination in llhttp. Add missing call to uv_fs_req_cleanup. Other bug fixes.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track*
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2025-01-12 CVE Reserved
- 2025-05-19 CVE Published
- 2025-05-28 CVE Updated
- 2025-07-05 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-401: Missing Release of Memory after Effective Lifetime
CAPEC
References (3)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2025-23165 | 2025-06-04 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2367162 | 2025-06-04 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 4.0 < 4.* Search vendor "Nodejs" for product "Node" and version " >= 4.0 < 4.*" | en |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 5.0 < 5.* Search vendor "Nodejs" for product "Node" and version " >= 5.0 < 5.*" | en |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 6.0 < 6.* Search vendor "Nodejs" for product "Node" and version " >= 6.0 < 6.*" | en |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 7.0 < 7.* Search vendor "Nodejs" for product "Node" and version " >= 7.0 < 7.*" | en |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 8.0 < 8.* Search vendor "Nodejs" for product "Node" and version " >= 8.0 < 8.*" | en |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 9.0 < 9.* Search vendor "Nodejs" for product "Node" and version " >= 9.0 < 9.*" | en |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 10.0 < 10.* Search vendor "Nodejs" for product "Node" and version " >= 10.0 < 10.*" | en |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 11.0 < 11.* Search vendor "Nodejs" for product "Node" and version " >= 11.0 < 11.*" | en |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 12.0 < 12.* Search vendor "Nodejs" for product "Node" and version " >= 12.0 < 12.*" | en |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 13.0 < 13.* Search vendor "Nodejs" for product "Node" and version " >= 13.0 < 13.*" | en |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 14.0 < 14.* Search vendor "Nodejs" for product "Node" and version " >= 14.0 < 14.*" | en |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 15.0 < 15.* Search vendor "Nodejs" for product "Node" and version " >= 15.0 < 15.*" | en |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 16.0 < 16.* Search vendor "Nodejs" for product "Node" and version " >= 16.0 < 16.*" | en |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 17.0 < 17.* Search vendor "Nodejs" for product "Node" and version " >= 17.0 < 17.*" | en |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 18.0 < 18.* Search vendor "Nodejs" for product "Node" and version " >= 18.0 < 18.*" | en |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 19.0 < 19.* Search vendor "Nodejs" for product "Node" and version " >= 19.0 < 19.*" | en |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 20.0.0 <= 20.19.1 Search vendor "Nodejs" for product "Node" and version " >= 20.0.0 <= 20.19.1" | en |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 22.0.0 <= 22.15.0 Search vendor "Nodejs" for product "Node" and version " >= 22.0.0 <= 22.15.0" | en |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node Search vendor "Nodejs" for product "Node" | >= 21.0 < 21.* Search vendor "Nodejs" for product "Node" and version " >= 21.0 < 21.*" | en |
Affected
| ||||||