{"id":"CVE-2025-59464","details":"A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.","aliases":["BIT-node-2025-59464","BIT-node-min-2025-59464"],"modified":"2026-04-22T18:44:13.442242366Z","published":"2026-01-20T21:16:03.900Z","related":["CGA-rf96-vpm7-g7x5","SUSE-SU-2026:1299-1","SUSE-SU-2026:21181-1","openSUSE-SU-2026:10311-1","openSUSE-SU-2026:20519-1"],"references":[{"type":"ADVISORY","url":"https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nodejs/node","events":[{"introduced":"c5349f43cd66d2aa02d86414c9ed426f71d3ae48"},{"fixed":"70f6b58ac655234435a99d72b857dd7b316d34bf"}],"database_specific":{"versions":[{"introduced":"24.0.0"},{"fixed":"24.12.0"}]}}],"versions":["v24.0.0","v24.0.1","v24.0.2","v24.1.0","v24.10.0","v24.11.0","v24.11.1","v24.2.0","v24.3.0","v24.4.0","v24.4.1","v24.5.0","v24.6.0","v24.7.0","v24.8.0","v24.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59464.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}