Home > Vulnerability Database > CVE-2025-55131

Mend.io Vulnerability Database

CVE-2025-55131

Good to know:

Date: January 20, 2026

A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the "vm" module with the timeout option. Under specific timing conditions, buffers allocated with "Buffer.alloc" and other "TypedArray" instances like "Uint8Array" may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.

Severity Score

7.1

Related Resources (4)

Url: https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Url: https://nodejs.org/en/blog/vulnerability/december-2025-security-releases#timeout-based-race-conditions-make-uint8arraybufferalloc-non-zerofilled-cve-2025-55131---high

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-55131

Url: https://www.mend.io/vulnerability-database/CVE-2025-55131

Severity Score

7.1

Top Fix

Upgrade Version

Upgrade to version https://github.com/nodejs/node.git - v20.20.0;https://github.com/nodejs/node.git - v22.22.0;https://github.com/nodejs/node.git - v24.13.0;https://github.com/nodejs/node.git - v25.3.0

Learn More

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-55131

Good to know:

Date: January 20, 2026

Severity Score

Related Resources (4)

Severity Score

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?