CVE-2025-59464

High CVSS: 7.5

A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.

Vendor

Nodejs

Product

Node.js

CWE

CWE-400

Yayın Tarihi

2026-01-20 21:16:03

Güncelleme

2026-01-30 20:26:26

Source Identifier

support@hackerone.com

KEV Date Added

Kategoriler

CWE-400 Node.js HIGH Nodejs 2026

Referanslar

https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Benzer Kayıtlar

Medium

CVE-2026-1527

ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject…

High

CVE-2026-1528

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's Byt…

High

CVE-2026-2229

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_m…

Medium

CVE-2026-2581

This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulne…

High

CVE-2026-1526

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessa…

Medium

CVE-2026-1525

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Co…