CVE-2025-59464

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-59464
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-59464.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-59464
Aliases
Downstream
Related
Published
2026-01-20T21:16:03.900Z
Modified
2026-02-03T12:58:39.790710Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

A memory leak in Node.js’s OpenSSL integration occurs when converting X.509 certificate fields to UTF-8 without freeing the allocated buffer. When applications call socket.getPeerCertificate(true), each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.

References

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type
GIT
Repo
https://github.com/nodejs/node
Events
Introduced
c5349f43cd66d2aa02d86414c9ed426f71d3ae48
Fixed
70f6b58ac655234435a99d72b857dd7b316d34bf

Affected versions

v24.*
v24.0.0
v24.0.1
v24.0.2
v24.1.0
v24.10.0
v24.11.0
v24.11.1
v24.2.0
v24.3.0
v24.4.0
v24.4.1
v24.5.0
v24.6.0
v24.7.0
v24.8.0
v24.9.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-59464.json"