{
  "threat_severity" : "Moderate",
  "public_date" : "2026-01-20T20:41:55Z",
  "bugzilla" : {
    "description" : "nodejs: Nodejs memory leak",
    "id" : "2431344",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2431344"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-770",
  "details" : [ "A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.", "A resource consumption flaw has been discovered in NodeJS. A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-01T00:00:00Z",
    "advisory" : "RHSA-2026:6402",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nodejs24-main-24.14.1-4.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-02T00:00:00Z",
    "advisory" : "RHSA-2026:6431",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nodejs25-main-25.9.0-1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-10T00:00:00Z",
    "advisory" : "RHSA-2026:7378",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nodejs25-main-25.9.0-1.1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-10T00:00:00Z",
    "advisory" : "RHSA-2026:7386",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nodejs20-main-20.20.0-7.1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-10T00:00:00Z",
    "advisory" : "RHSA-2026:7387",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nodejs22-main-22.22.0-1.3.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-11T00:00:00Z",
    "advisory" : "RHSA-2026:7657",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nodejs24-main-24.14.1-4.1.hum1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "nodejs22",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "nodejs24",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:20/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:22/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:24/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "nodejs:20/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:22/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:24/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-59464\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-59464\nhttps://nodejs.org/en/blog/vulnerability/december-2025-security-releases" ],
  "name" : "CVE-2025-59464",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}