CVE-2025-59464 Overview
CVE-2025-59464 is a memory leak in Node.js's OpenSSL integration that occurs while converting X.509 certificate fields to UTF-8. The allocated buffer is never freed after conversion. When an application invokes socket.getPeerCertificate(true), every certificate field leaks a small amount of memory. Remote clients can drive steady memory growth by opening repeated TLS connections, leading to resource exhaustion and denial of service. The flaw is tracked under CWE-400 Uncontrolled Resource Consumption.
Critical Impact
Unauthenticated remote attackers can exhaust process memory on TLS-enabled Node.js servers that inspect peer certificates, causing service outages without requiring any credentials or user interaction.
Affected Products
- Node.js runtime (see vendor advisory for affected release lines)
- Applications that call tls.TLSSocket.getPeerCertificate(true) on incoming connections
- Services using mutual TLS (mTLS) that parse client certificate fields
Discovery Timeline
- 2026-01-20 - CVE-2025-59464 published to NVD
- 2026-01-30 - Last updated in NVD database
Technical Details for CVE-2025-59464
Vulnerability Analysis
The defect lives in the Node.js binding layer that surfaces X.509 certificate metadata to JavaScript. When the runtime decodes certificate name fields into UTF-8 strings using OpenSSL helpers, the intermediate buffer returned by OpenSSL is not released. Each invocation of socket.getPeerCertificate(true) walks every field of the peer certificate, so the leak scales with both certificate complexity and connection volume. Long-lived server processes accumulate the orphaned allocations until the operating system kills the process or the V8 heap stalls under garbage collection pressure.
Root Cause
The root cause is missing cleanup of OpenSSL-allocated memory after UTF-8 conversion of X.509 name entries. The conversion helper returns a buffer that the caller is required to free, but the Node.js binding omits the corresponding free call. This pattern matches CWE-400, where program logic permits a remote actor to consume resources without limit.
Attack Vector
The attack vector is network based and requires no privileges or user interaction. An attacker establishes repeated TLS handshakes against any Node.js endpoint where the application calls getPeerCertificate(true). Servers performing client certificate inspection, including reverse proxies, API gateways, and mTLS microservices, are direct targets. Because each handshake leaks predictably, attackers can model memory growth and reliably trigger out-of-memory conditions.
No verified public exploit code is available. Refer to the Node.js December 2025 Security Releases advisory for the authoritative technical description and patched commits.
Detection Methods for CVE-2025-59464
Indicators of Compromise
- Steady, monotonic growth of resident set size (RSS) in Node.js processes that terminate TLS connections.
- Repeated TLS handshakes from a small set of source addresses against endpoints that perform peer certificate inspection.
- Node.js process restarts triggered by out-of-memory (OOM) kills, visible in dmesg or container orchestrator events.
Detection Strategies
- Correlate Node.js process memory metrics with TLS handshake counts. A linear relationship between connection volume and RSS suggests leaked allocations.
- Inspect application code for calls to socket.getPeerCertificate(true) and audit whether they run on unauthenticated network paths.
- Capture V8 heap snapshots periodically and compare retained sizes for strings derived from certificate fields.
Monitoring Recommendations
- Alert on Node.js RSS exceeding baseline by a defined threshold over rolling windows.
- Track TLS connection rate per source IP on edge proxies and flag anomalous bursts targeting mTLS endpoints.
- Forward process restart and OOM-kill events to a central log pipeline for trend analysis.
How to Mitigate CVE-2025-59464
Immediate Actions Required
- Upgrade Node.js to a fixed release listed in the December 2025 security advisory.
- Inventory services that call getPeerCertificate(true) and prioritize patching those exposed to untrusted clients.
- Place rate limits on TLS handshake volume at upstream load balancers or reverse proxies.
Patch Information
Node.js published fixed builds as part of the December 2025 security releases. Apply the patched versions documented in the Node.js December 2025 Security Blog for each supported release line. After upgrading, restart all long-running Node.js processes so they load the patched binding.
Workarounds
- Where feasible, call getPeerCertificate() without the true argument to avoid traversing detailed name fields until patches are applied.
- Terminate mutual TLS at a hardened reverse proxy rather than directly in the Node.js application.
- Configure process supervisors with conservative memory limits and automatic restart policies to contain leak growth until remediation.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
