CVE-2025-23165 Overview
CVE-2025-23165 is a memory leak vulnerability in Node.js affecting the ReadFileUtf8 internal binding. The flaw occurs due to a corrupted pointer in uv_fs_s.file where a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call, and repeated use can cause unbounded memory growth, ultimately leading to a denial of service condition.
Critical Impact
Applications using Node.js APIs that rely on ReadFileUtf8 may experience memory exhaustion and denial of service through accumulated memory leaks.
Affected Products
- Node.js v20.x release line
- Node.js v22.x release line
- Applications using APIs relying on ReadFileUtf8 binding
Discovery Timeline
- 2025-05-19 - CVE CVE-2025-23165 published to NVD
- 2025-05-19 - Last updated in NVD database
Technical Details for CVE-2025-23165
Vulnerability Analysis
This vulnerability is classified under CWE-401 (Missing Release of Memory after Effective Lifetime). The core issue resides in the internal ReadFileUtf8 binding within Node.js, which is responsible for reading file contents with UTF-8 encoding. During the file reading operation, the binding allocates a UTF-16 path buffer to handle file path conversions. However, a programming error causes the pointer to this allocated buffer to be corrupted when the file descriptor is subsequently set in the uv_fs_s.file structure.
The memory allocated for the UTF-16 path buffer becomes unreachable after the pointer corruption, meaning it cannot be properly freed by the garbage collector or manual memory management routines. This results in a memory leak that occurs on every invocation of functions relying on the ReadFileUtf8 binding.
Root Cause
The root cause is improper memory management in the ReadFileUtf8 internal binding. Specifically, the vulnerability stems from a sequence of operations where:
- A UTF-16 path buffer is dynamically allocated to handle file path encoding
- The pointer to this allocated memory is stored in a structure field
- The file descriptor is subsequently written to the same or an adjacent field, corrupting the pointer
- The original memory reference is lost, preventing deallocation
This represents a classic memory leak pattern where allocated memory becomes orphaned due to pointer corruption, falling under the CWE-401 classification.
Attack Vector
The attack vector is network-based, though exploitation requires specific conditions. An attacker could trigger this vulnerability by causing an application to repeatedly invoke file reading operations that utilize the ReadFileUtf8 binding. In server environments where Node.js handles file operations based on user requests, an attacker could:
- Send numerous requests that trigger file reading operations
- Each request causes a small memory leak
- Over time, accumulated leaks exhaust available memory
- The application becomes unresponsive or crashes due to memory exhaustion
The attack does not require authentication or user interaction but does require the ability to trigger file reading operations in the target application. The practical exploitability depends on how the target application uses file reading APIs.
Detection Methods for CVE-2025-23165
Indicators of Compromise
- Gradual increase in Node.js process memory consumption over time without corresponding workload increase
- Out-of-memory errors or crashes in Node.js applications under normal operating conditions
- Abnormally high memory usage reported by monitoring tools for Node.js processes
- System-level memory pressure or swap usage increases correlated with Node.js activity
Detection Strategies
- Monitor Node.js process memory usage patterns using process monitoring tools like pm2 or system metrics
- Implement memory profiling in Node.js applications using the --inspect flag and Chrome DevTools
- Set up alerts for memory threshold breaches in application performance monitoring (APM) solutions
- Review application logs for memory-related warnings or out-of-memory exceptions
Monitoring Recommendations
- Configure container memory limits and monitoring to detect gradual memory increases
- Deploy SentinelOne Singularity to monitor for anomalous process behavior and resource consumption patterns
- Implement periodic application restarts as a temporary measure while awaiting patching
- Establish baseline memory consumption metrics for Node.js applications to identify deviations
How to Mitigate CVE-2025-23165
Immediate Actions Required
- Upgrade Node.js to the latest patched version as indicated in the Node.js security releases
- Review application code to identify usage of APIs that may rely on ReadFileUtf8 binding
- Implement application-level memory monitoring to detect and respond to memory leaks
- Consider implementing request rate limiting for endpoints that trigger file reading operations
Patch Information
Node.js has released security updates addressing this vulnerability. Organizations should refer to the Node.js Security Release Blog for detailed patch information and upgrade instructions. The security release covers both the v20 and v22 release lines affected by this vulnerability.
Users should upgrade to the latest available versions in their respective release lines:
- For Node.js v20.x: Upgrade to the latest v20 security release
- For Node.js v22.x: Upgrade to the latest v22 security release
Workarounds
- Implement periodic application restarts to reclaim leaked memory before exhaustion occurs
- Deploy memory monitoring with automatic restart triggers when thresholds are exceeded
- Rate limit or throttle file reading operations to slow the rate of memory accumulation
- Consider alternative file reading approaches that may not rely on the affected ReadFileUtf8 binding
# Example: Configure PM2 to restart Node.js app when memory exceeds threshold
pm2 start app.js --max-memory-restart 1G
# Example: Monitor Node.js memory usage
node --expose-gc --max-old-space-size=2048 app.js
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
