2431350 – (CVE-2025-55131) CVE-2025-55131 nodejs: Nodejs uninitialized memory exposure

Bug 2431350 (CVE-2025-55131) - CVE-2025-55131 nodejs: Nodejs uninitialized memory exposure

Summary: CVE-2025-55131 nodejs: Nodejs uninitialized memory exposure

Keywords:
Status:	NEW
Alias:	CVE-2025-55131
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2431479 2431481 2431485 2431488 2431491 2431495 2431498
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-20 21:03 UTC by OSIDB Bzimport
Modified:	2026-01-21 01:14 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-20 21:03:10 UTC

A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.

Note You need to log in before you can comment on or make changes to this bug.