CVE-2025-23165 in Node.jsinfo

Summary

by MITRE • 05/19/2025

In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service.

Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 10/30/2025

The vulnerability identified as CVE-2025-23165 represents a critical memory management flaw within Node.js's internal file system operations, specifically impacting the `ReadFileUtf8` binding mechanism. This issue manifests through a corrupted pointer condition in the `uv_fs_s.file` structure where a UTF-16 path buffer undergoes allocation followed by subsequent overwrite when establishing the file descriptor. The flaw resides in the underlying libuv library integration within Node.js, creating a persistent memory leak with each invocation of the affected API. The technical root cause stems from improper memory handling during file operation initialization, where the system allocates memory for UTF-16 path representation but fails to maintain proper pointer integrity when transitioning to file descriptor management. This corruption creates a scenario where allocated memory becomes unrecoverable and continuously accumulates with each file read operation, establishing a fundamental memory leak pattern that escalates over time.

The operational impact of this vulnerability extends beyond simple memory consumption issues to potentially catastrophic system instability and service disruption. Every call to `ReadFileUtf8` triggers the memory leak mechanism, meaning that applications repeatedly using file reading operations will experience unbounded memory growth. This behavior directly aligns with CWE-401 Memory Leak, specifically targeting the improper management of allocated resources in the file system binding layer. The vulnerability affects Node.js versions v20 and v22, which represent significant portions of the current runtime environment, making the impact widespread across modern application deployments. Applications utilizing file system APIs for configuration loading, data processing, or content delivery will progressively consume increasing amounts of memory, eventually leading to system resource exhaustion and denial of service conditions.

The memory leak characteristics of this vulnerability create a particularly insidious threat to long-running Node.js applications where file operations are frequent and continuous. The corrupted pointer in `uv_fs_s.file` prevents proper memory deallocation mechanisms from functioning correctly, resulting in memory that remains allocated indefinitely. This pattern of resource consumption follows ATT&CK technique T1499.004 for Resource Exhaustion, specifically targeting memory resources through improper allocation and deallocation practices. The vulnerability's persistence means that even after individual file operations complete, the leaked memory remains unavailable for reuse, creating a cumulative effect that degrades system performance over time. Monitoring applications for memory growth patterns would reveal the characteristic exponential increase in memory consumption that correlates directly with file read operations, making detection straightforward once the pattern is recognized.

Mitigation strategies for CVE-2025-23165 must address both immediate operational concerns and long-term architectural considerations. The primary recommendation involves upgrading to patched versions of Node.js where the memory management issue has been resolved through proper pointer handling and memory deallocation mechanisms. Organizations should implement comprehensive monitoring for memory consumption patterns in their Node.js applications to detect early signs of memory leak accumulation. Temporary workarounds may include reducing file system operations frequency or implementing application-level memory management techniques such as periodic process restarts. The fix should ensure proper memory allocation and deallocation for UTF-16 path buffers, implementing safeguards against pointer corruption during file descriptor assignment operations. Additionally, security teams should conduct thorough vulnerability assessments of their Node.js deployments to identify applications potentially affected by this memory leak pattern, particularly those with high-frequency file I/O operations that could exacerbate the denial of service impact.

Responsible

Hackerone

Reservation

01/12/2025

Disclosure

05/19/2025

Moderation

accepted

CPE

ready

EPSS

0.00480

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!