High

Node.js uninitialized memory exposure in Buffer.alloc and Uint8Array via vm timeout race

IdentifiersCVE-2025-55131CWE-908

CVE-2025-55131 is a high-severity Node.js vulnerability in buffer/TypedArray allocation logic. When the vm module is used with the timeout option, a timeout-driven race can interrupt allocations such that Buffer.alloc and other TypedArray instances, including Uint8Array, may be returned without being fully zero-initialized. Under specific timing conditions, this exposes leftover heap contents from prior operations to JavaScript code. The issue can result in disclosure of in-process data such as tokens, passwords, or other sensitive material, and may also cause data corruption. The provided content identifies affected release lines as Node.js 20.x, 22.x, 24.x, and 25.x, and notes fixes shipped in 20.20.0, 22.22.0, 24.13.0, and 25.3.0.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can disclose uninitialized process memory to attacker-controlled code, exposing sensitive in-process data such as tokens, passwords, or other secrets. Because the flaw affects allocation correctness, it can also lead to integrity issues through data corruption. Exploitation is generally constrained by the need for precise timing or in-process code execution, but the content notes that it may become remotely exploitable where untrusted input can influence workload characteristics and timeout behavior. The primary impacts are confidentiality loss and potential integrity degradation.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, avoid or strictly limit use of the Node.js vm module with the timeout option, especially in code paths influenced by untrusted input. Reduce attacker influence over timing and workload shaping where feasible, and isolate untrusted code execution into separate processes or containers so that any memory disclosure cannot expose high-value secrets from the main application process. Minimize sensitive material resident in-process during execution of untrusted workloads.

Remediation

Patch, then assume compromise.

Upgrade Node.js to a patched release that includes the fix for CVE-2025-55131. The provided content states patched versions include Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0. Ensure all affected active release lines are updated and redeploy applications against the fixed runtime.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

NodejsModule.Nodejs-Nodemonapplication

NodejsNodejsapplication

NodejsNodejs-Nodemonapplication

NodejsNodejs-Packagingapplication

Rocky LinuxNodejsapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

22 SOURCESView more in app

the hacker newsNews

Jan 19, 2026

⚡ Weekly Recap: Fortinet Exploits, RedLine Clipjack, NTLM Crack, Copilot Attack & More

Unknown

the hacker newsNews

Jan 14, 2026

Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow

A high-severity Node.js vulnerability that could be exploited to cause data leakage or corruption (no further technical details provided in the content).

cyber security newsNews

Jan 13, 2026

Node.js Security Release Patches 7 Vulnerabilities Across All Release Lines

High-severity uninitialized memory exposure in Node.js Buffer.alloc/Uint8Array related to vm module timeout races, potentially leaking sensitive data.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity13

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-55131

NVD

nvd.nist.gov/vuln/detail/CVE-2025-55131

MITRE CWE · CWE-908

cwe.mitre.org

nodejs.org

nodejs.org/en/blog/vulnerability/december-2025-security-releases