Do Son 
The Node.js maintainers have kicked off the new year with a critical security release, addressing a trio of high-severity vulnerabilities that expose applications to data leaks, denial-of-service (DoS) attacks, and authentication bypasses. The updates, rolled out across all active release lines (25.x, 24.x, 22.x, and 20.x), tackle complex race conditions and logic flaws that could leave sensitive “in-process secrets like tokens or passwords” exposed.
The advisory lists a total of eight vulnerabilities—three high, four medium, and one low severity—along with dependency updates for c-ares and undici.
Headlining the patch is CVE-2025-55131, a high-severity flaw rooted in how Node.js handles memory allocation when interrupted. The vulnerability allows buffers to retain data from previous operations—essentially “dirty” memory—instead of being zeroed out.
According to the report, “Under specific timing conditions, buffers allocated with Buffer.alloc and other TypedArray instances like Uint8Array may contain leftover data from previous operations”.
This occurs specifically when using the vm module with a timeout option. If an allocation is interrupted by the timeout mechanism, the cleanup process fails, potentially “allowing in-process secrets like tokens or passwords to leak or causing data corruption”. While mostly a local threat, it becomes remotely exploitable if an attacker can influence the workload and trigger timeouts.
Two other flaws directly target Node.js’s experimental Permission Model, a feature designed to restrict what code can access on the disk and network.
- Symlink Bypass (CVE-2025-55130): Attackers can bypass –allow-fs-read restrictions using “crafted relative symlink paths.” By chaining directories and symlinks, a malicious script can “escape the allowed path and read sensitive files,” breaking the isolation guarantees.
- Unix Domain Socket Bypass (CVE-2026-21636): A medium-severity flaw allows attackers to use Unix Domain Sockets (UDS) to “bypass network restrictions when –permission is enabled,” potentially accessing privileged local services.
The update also fixes several Denial-of-Service (DoS) vectors:
- HTTP/2 Crash (CVE-2025-59465): A malformed HTTP/2 HEADERS frame can cause the server to crash by triggering an “unhandled TLSSocket error ECONNRESET”.
- TLS Callback Crash (CVE-2026-21637): Synchronous exceptions in TLS callbacks can bypass error handling, causing “immediate process termination or silent file descriptor leaks”.
The following patched versions are now available for download:
Developers are strongly advised to update their environments to prevent potential data leaks and service disruptions.
Related Posts:
- Node.js Misused in Malvertising Campaigns to Deliver Stealthy Malware
- Node.js to Issue CVE for End-of-Life Versions
- “Dirty Stream” Vulnerability Pattern Uncovered: New Threat Imperils Popular Android Apps
- Android system is also affected by Linux kernel Dirty Pipe flaw, Google is fixing it
- Node.js Expands CVE Coverage for EOL Releases Despite MITRE Rejection
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
