Node.js Buffer Allocation Logic Flaw in the VM Module Timeout Option

A vulnerability exists in Node.js's buffer allocation process, which can lead to the exposure of uninitialized memory. This issue arises when buffer allocations are disrupted while using the 'vm' module with the timeout option. Under certain timing conditions, buffers created with 'Buffer.alloc' and other 'TypedArray' instances, such as 'Uint8Array', may retain residual data from prior operations. This can result in the unintentional leakage of in-process secrets, like tokens or passwords, or cause data corruption. Although exploitation generally requires precise timing or execution of code within the same process, it could potentially be exploited remotely if untrusted input affects the workload and timeouts, compromising confidentiality and integrity.

Impact

This vulnerability is present in all active Node.js release lines: 20.x, 22.x, 24.x, and 25.x.

Remediation

Users can upgrade to Node.js versions 20.20.0, 22.22.0, 24.13.0, or 25.4.0 to address this vulnerability.