CVE-2025-23122

Name of the Vulnerable Software and Affected Versions: Node.js versions v20 and v22

Description: The issue is related to a memory leak in the ReadFileUtf8 internal binding of Node.js, caused by a corrupted pointer in uv fs s.file. This occurs when a UTF-16 path buffer is allocated but then overwritten when the file descriptor is set, resulting in an unrecoverable memory leak on every call. Repeated use can lead to unbounded memory growth, causing a denial of service. This affects APIs that rely on ReadFileUtf8.

Recommendations: For Node.js versions v20 and v22, as a temporary workaround, consider restricting the use of the ReadFileUtf8 internal binding until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.