Search for vulnerabilities
Vulnerability details: VCID-w46h-uy5d-8qcp
Vulnerability ID VCID-w46h-uy5d-8qcp
Aliases CVE-2025-23165
Summary In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-401 Missing Release of Memory after Effective Lifetime
System Score Found at
cvssv3 3.7 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-23165.json
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00055 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00055 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00055 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00056 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00056 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00056 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00056 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00056 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00056 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00056 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00056 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00056 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00056 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00056 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00056 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00056 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00056 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
epss 0.00061 https://api.first.org/data/v1/epss?cve=CVE-2025-23165
cvssv3.1 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3 3.7 https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
ssvc Track https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
archlinux High https://security.archlinux.org/AVG-2872
archlinux High https://security.archlinux.org/AVG-2873
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-23165.json
https://api.first.org/data/v1/epss?cve=CVE-2025-23165
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-23165
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1105832 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105832
2367162 https://bugzilla.redhat.com/show_bug.cgi?id=2367162
ASA-202505-7 https://security.archlinux.org/ASA-202505-7
ASA-202505-8 https://security.archlinux.org/ASA-202505-8
AVG-2872 https://security.archlinux.org/AVG-2872
AVG-2873 https://security.archlinux.org/AVG-2873
CVE-2025-23165 https://nvd.nist.gov/vuln/detail/CVE-2025-23165
may-2025-security-releases https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
RHSA-2025:8467 https://access.redhat.com/errata/RHSA-2025:8467
RHSA-2025:8468 https://access.redhat.com/errata/RHSA-2025:8468
RHSA-2025:8493 https://access.redhat.com/errata/RHSA-2025:8493
RHSA-2025:8506 https://access.redhat.com/errata/RHSA-2025:8506
RHSA-2025:8514 https://access.redhat.com/errata/RHSA-2025:8514
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-23165.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-19T13:55:12Z/ Found at https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
Exploit Prediction Scoring System (EPSS)
Percentile 0.12361
EPSS Score 0.00042
Published At May 19, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-05-15T10:52:46.647522+00:00 Debian Importer Import https://security-tracker.debian.org/tracker/data/json 36.0.0