{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-17T06:09:52.574","vulnerabilities":[{"cve":{"id":"CVE-2025-55131","sourceIdentifier":"support@hackerone.com","published":"2026-01-20T21:16:03.320","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact."},{"lang":"es","value":"Una falla en la lógica de asignación de búferes de Node.js puede exponer memoria no inicializada cuando las asignaciones son interrumpidas, al usar el módulo 'vm' con la opción de tiempo de espera. Bajo condiciones de tiempo específicas, los búferes asignados con 'Buffer.alloc' y otras instancias de 'TypedArray' como 'Uint8Array' pueden contener datos residuales de operaciones anteriores, permitiendo que secretos en proceso como tokens o contraseñas se filtren o causando corrupción de datos. Si bien la explotación normalmente requiere una sincronización precisa o la ejecución de código en proceso, puede volverse explotable de forma remota cuando una entrada no confiable influye en la carga de trabajo y los tiempos de espera, lo que lleva a un potencial impacto en la confidencialidad y la integridad."}],"metrics":{"cvssMetricV30":[{"source":"support@hackerone.com","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":1.6,"impactScore":5.5}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-120"}]}],"references":[{"url":"https://nodejs.org/en/blog/vulnerability/december-2025-security-releases","source":"support@hackerone.com"}]}}]}