Intel

AIKIDO-2026-10028

node is vulnerable to Use of Uninitialized Resource

Use of Uninitialized ResourceCVE-2025-55131 Published Jan 14, 2026

85

High Risk

This Affects:

OSnode
0.0.1 - 20.19.6
Fixed in 20.20.0
21.0.0 - 22.21.1
Fixed in 22.22.0
23.0.0 - 24.12.0
Fixed in 24.13.0
25.0.0 - 25.2.0
Fixed in 25.3.0
Are you affected? Scan for Free

TL;DR

Affected versions of the package may expose uninitialized memory due to a flaw in Node.js buffer allocation when allocations are interrupted while using the vm module with the timeout option. Under specific timing conditions, buffers created via Buffer.alloc or TypedArray instances such as Uint8Array may contain residual data from previous operations, potentially leaking in-process secrets like tokens or passwords or causing data corruption.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

node is vulnerable to Use of Uninitialized Resource in versions 25.0.0 - 25.2.0, 23.0.0 - 24.12.0, 21.0.0 - 22.21.1 and 0.0.1 - 20.19.6.

How to fix this

Upgrade the node library to a patch version.

Links

nodejs.org/en/blog/vulnerability/december-2025-security-releases#timeout-based-race-conditions-make-uint8arraybufferalloc-non-zerofilled-cve-2025-55131---high
https://nodejs.org/en/blog/vulnerability/december-2025-security-releases#timeout-based-race-conditions-make-uint8arraybufferalloc-non-zerofilled-cve-2025-55131---high
nodejs.org/en/blog/vulnerability/december-2025-security-releases
https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
access.redhat.com/errata/RHSA-2026:1842
https://access.redhat.com/errata/RHSA-2026:1842
access.redhat.com/errata/RHSA-2026:1843
https://access.redhat.com/errata/RHSA-2026:1843
access.redhat.com/errata/RHSA-2026:2420
https://access.redhat.com/errata/RHSA-2026:2420
access.redhat.com/errata/RHSA-2026:2421
https://access.redhat.com/errata/RHSA-2026:2421
access.redhat.com/errata/RHSA-2026:2422
https://access.redhat.com/errata/RHSA-2026:2422
access.redhat.com/errata/RHSA-2026:2767
https://access.redhat.com/errata/RHSA-2026:2767
access.redhat.com/errata/RHSA-2026:2768
https://access.redhat.com/errata/RHSA-2026:2768
access.redhat.com/errata/RHSA-2026:2781
https://access.redhat.com/errata/RHSA-2026:2781
access.redhat.com/errata/RHSA-2026:2782
https://access.redhat.com/errata/RHSA-2026:2782
access.redhat.com/errata/RHSA-2026:2783
https://access.redhat.com/errata/RHSA-2026:2783
access.redhat.com/errata/RHSA-2026:2864
https://access.redhat.com/errata/RHSA-2026:2864
access.redhat.com/errata/RHSA-2026:2899
https://access.redhat.com/errata/RHSA-2026:2899
access.redhat.com/errata/RHSA-2026:6402
https://access.redhat.com/errata/RHSA-2026:6402
access.redhat.com/errata/RHSA-2026:6431
https://access.redhat.com/errata/RHSA-2026:6431
access.redhat.com/errata/RHSA-2026:7386
https://access.redhat.com/errata/RHSA-2026:7386
access.redhat.com/errata/RHSA-2026:7387
https://access.redhat.com/errata/RHSA-2026:7387
access.redhat.com/security/cve/CVE-2025-55131
https://access.redhat.com/security/cve/CVE-2025-55131
bugzilla.redhat.com/show_bug.cgi?id=2431350
https://bugzilla.redhat.com/show_bug.cgi?id=2431350
security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-55131.json
https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-55131.json