Node.js developers need to patch immediately. The project released emergency updates across all active versions (20.x through 25.x) on Tuesday, addressing eight security flaws—three rated high severity—that could expose sensitive data or crash production servers.
The most alarming vulnerability (CVE-2025-55131) stems from a timing attack in buffer allocation. When operations get interrupted during Buffer.alloc or Uint8Array creation, the system can serve up uninitialized memory containing leftover secrets such as authentication tokens or passwords. "This typically requires precise timing," the security team notes, "but becomes remotely exploitable when untrusted input influences workload and timeouts."
Security researcher Nikita Skovoroda discovered and patched the buffer issue, which affects every supported Node.js release line.
Two other high-severity bugs target different attack vectors. CVE-2025-59465 allows attackers to crash HTTP/2 servers by sending malformed HEADERS frames with oversized HPACK data, triggering unhandled connection errors. Meanwhile, CVE-2025-55130 bypasses the permission model's file system restrictions through cleverly chained symlinks, allowing scripts to escape their sandboxes and read or write arbitrary files.
The remaining five vulnerabilities, ranging from medium to low severity, still warrant attention. One creates uncatchable stack overflow errors when async_hooks are enabled, another leaks memory when processing TLS client certificates, and a third allows Unix Domain Socket connections to slip past network restrictions.
Rafael Goncalves Santos Silva (RafaelGSS) and Matteo Collina led most of the remediation work, with contributions from external security researchers who flagged these issues through responsible disclosure.
The updates are available now as versions 20.20.0, 22.22.0, 24.13.0, and 25.3.0. Given that end-of-life versions remain perpetually vulnerable, teams still running older releases face mounting risk. The Node.js security team recommends immediate deployment, especially for applications that handle sensitive data or expose HTTP/2 endpoints to untrusted networks.
For organizations that can't patch instantly, disabling the vm module's timeout option and adding explicit error handlers to secure sockets provides temporary mitigation.