216.73.217.86

CVE-2025-55131

· Published 20/01/2026 22:16 · Author: The MITRE Corporation

Labels: CVE-2025-55131 2026-01-20CVE-2025-55131[email protected]

Essential information

Published
20/01/2026 22:16
Modified
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
7.1 HIGH (v3.1)
CISA KEV
No
CWE
CWE-120 CWE-497
EPSS (First)
P57.7% ?EPSS percentile: rank of this vulnerability versus all others. Higher percentile = more likely to be exploited. Learn more (score 0.00978)
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

CVSS metrics

Description

A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.

NVD status

NVD
View on NVD