{ "threat_severity" : "Important", "public_date" : "2026-01-20T20:41:55Z", "bugzilla" : { "description" : "nodejs: Nodejs uninitialized memory exposure", "id" : "2431350", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2431350" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L", "status" : "verified" }, "cwe" : "CWE-497", "details" : [ "A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.", "A memory exposure flaw has been discovered in Node.js. A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-02-05T00:00:00Z", "advisory" : "RHSA-2026:1842", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "nodejs24-1:24.13.0-1.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-02-05T00:00:00Z", "advisory" : "RHSA-2026:1843", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "nodejs22-1:22.22.0-3.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-02-18T00:00:00Z", "advisory" : "RHSA-2026:2899", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "nodejs22-1:22.22.0-1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-10T00:00:00Z", "advisory" : "RHSA-2026:2420", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:24-8100020260116121421.6d880403" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-10T00:00:00Z", "advisory" : "RHSA-2026:2421", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:22-8100020260119091831.6d880403" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-10T00:00:00Z", "advisory" : "RHSA-2026:2422", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:20-8100020260119100525.489197e6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-17T00:00:00Z", "advisory" : "RHSA-2026:2781", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nodejs:24-9070020260117213814.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-17T00:00:00Z", "advisory" : "RHSA-2026:2782", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nodejs:22-9070020260117213838.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-17T00:00:00Z", "advisory" : "RHSA-2026:2783", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nodejs:20-9070020260117213748.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-02-17T00:00:00Z", "advisory" : "RHSA-2026:2768", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "nodejs:20-9040020260211171433.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-02-17T00:00:00Z", "advisory" : "RHSA-2026:2767", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "nodejs:20-9060020260210180816.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-02-18T00:00:00Z", "advisory" : "RHSA-2026:2864", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "nodejs:22-9060020260210120402.rhel9" } ], "package_state" : [ { "product_name" : "Red Hat Hardened Images", "fix_state" : "Affected", "package_name" : "nodejs20", "cpe" : "cpe:/a:redhat:hummingbird:1" }, { "product_name" : "Red Hat Hardened Images", "fix_state" : "Affected", "package_name" : "nodejs22", "cpe" : "cpe:/a:redhat:hummingbird:1" }, { "product_name" : "Red Hat Hardened Images", "fix_state" : "Affected", "package_name" : "nodejs24", "cpe" : "cpe:/a:redhat:hummingbird:1" }, { "product_name" : "Red Hat Hardened Images", "fix_state" : "Affected", "package_name" : "nodejs25", "cpe" : "cpe:/a:redhat:hummingbird:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-55131\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-55131\nhttps://nodejs.org/en/blog/vulnerability/december-2025-security-releases" ], "name" : "CVE-2025-55131", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }