Home > Vulnerability Database > CVE-2025-23165

Mend.io Vulnerability Database

CVE-2025-23165

Good to know:

Date: May 18, 2025

In Node.js, the "ReadFileUtf8" internal binding leaks memory due to a corrupted pointer in "uv_fs_s.file": a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on "ReadFileUtf8" on Node.js release lines: v20 and v22.

Severity Score

3.7

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-23165

Url: https://nodejs.org/en/blog/vulnerability/may-2025-security-releases

Url: https://www.mend.io/vulnerability-database/CVE-2025-23165

Severity Score

3.7

Weakness Type (CWE)

Missing Release of Memory after Effective Lifetime

CWE-401

Top Fix

Upgrade Version

Upgrade to version https://github.com/nodejs/node.git - v22.15.1;https://github.com/nodejs/node.git - v20.19.2

Learn More

CVSS v3.1

Base Score:	3.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-23165

Good to know:

Date: May 18, 2025

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?