CVE-2025-23165

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-23165

Severity

Unknown

Description

In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uv_fs_s.file: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service.

Impact:

This vulnerability affects APIs relying on ReadFileUtf8 on Node.js release lines: v20 and v22.

References

https://images.chainguard.dev/security/CGA-998c-4wrm-hh4r
https://github.com/advisories/GHSA-gcf6-vgcr-474f
https://images.chainguard.dev/security/CGA-6f6r-5p32-7vr2
https://images.chainguard.dev/security/CGA-h6hq-m39m-6v38
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
https://security.alpinelinux.org/vuln/CVE-2025-23165
https://security-tracker.debian.org/tracker/CVE-2025-23165

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2025-23165

Severity

Description

References

Affected packages

Products

Why Chainguard

Customers

Company

Resources