[High] Patch nodejs18 for CVE-2025-55131 (#15566)

v-aaditya · jslobodzian · web-flow · commit 88d37df27e16 · 2026-01-23T15:17:25.000-05:00
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/nodejs/CVE-2025-55131.patch b/SPECS/nodejs/CVE-2025-55131.patch
@@ -0,0 +1,306 @@
+From 51f4de4b4a52b5b0eb2c63ecbb4126577e05f636 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=D0=A1=D0=BA=D0=BE=D0=B2=D0=BE=D1=80=D0=BE=D0=B4=D0=B0=20?=
+ =?UTF-8?q?=D0=9D=D0=B8=D0=BA=D0=B8=D1=82=D0=B0=20=D0=90=D0=BD=D0=B4=D1=80?=
+ =?UTF-8?q?=D0=B5=D0=B5=D0=B2=D0=B8=D1=87?= <chalkerx@gmail.com>
+Date: Fri, 7 Nov 2025 11:50:57 -0300
+Subject: [PATCH] src,lib: refactor unsafe buffer creation to remove zero-fill
+ toggle
+
+This removes the zero-fill toggle mechanism that allowed JavaScript
+to control ArrayBuffer initialization via shared memory. Instead,
+unsafe buffer creation now uses a dedicated C++ API.
+
+Refs: https://hackerone.com/reports/3405778
+Co-Authored-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
+Co-Authored-By: Joyee Cheung <joyeec9h3@gmail.com>
+Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
+PR-URL: https://github.com/nodejs-private/node-private/pull/759
+Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/799
+CVE-ID: CVE-2025-55131
+
+Upstream Patch Reference: https://github.com/nodejs/node/commit/51f4de4b4a.patch 
+---
+ deps/v8/include/v8-array-buffer.h     |  7 +++
+ deps/v8/src/api/api.cc                | 17 ++++++
+ lib/internal/buffer.js                | 23 ++-----
+ lib/internal/process/pre_execution.js |  2 -
+ src/api/environment.cc                |  3 +-
+ src/node_buffer.cc                    | 86 ++++++++++++++++-----------
+ 6 files changed, 83 insertions(+), 55 deletions(-)
+
+diff --git a/deps/v8/include/v8-array-buffer.h b/deps/v8/include/v8-array-buffer.h
+index cc5d2d43..bf1df3e7 100644
+--- a/deps/v8/include/v8-array-buffer.h
++++ b/deps/v8/include/v8-array-buffer.h
+@@ -223,6 +223,13 @@ class V8_EXPORT ArrayBuffer : public Object {
+    */
+   static std::unique_ptr<BackingStore> NewBackingStore(Isolate* isolate,
+                                                        size_t byte_length);
++  /**
++   * Returns a new standalone BackingStore with uninitialized memory and
++   * return nullptr on failure.
++   * This variant is for not breaking ABI on Node.js LTS. DO NOT USE.
++   */
++  static std::unique_ptr<BackingStore> NewBackingStoreForNodeLTS(
++      Isolate* isolate, size_t byte_length);
+   /**
+    * Returns a new standalone BackingStore that takes over the ownership of
+    * the given buffer. The destructor of the BackingStore invokes the given
+diff --git a/deps/v8/src/api/api.cc b/deps/v8/src/api/api.cc
+index 3b1a8168..e542eb5a 100644
+--- a/deps/v8/src/api/api.cc
++++ b/deps/v8/src/api/api.cc
+@@ -8213,6 +8213,23 @@ std::unique_ptr<v8::BackingStore> v8::SharedArrayBuffer::NewBackingStore(
+       static_cast<v8::BackingStore*>(backing_store.release()));
+ }
+ 
++std::unique_ptr<v8::BackingStore> v8::ArrayBuffer::NewBackingStoreForNodeLTS(
++    Isolate* v8_isolate, size_t byte_length) {
++  i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(v8_isolate);
++  API_RCS_SCOPE(i_isolate, ArrayBuffer, NewBackingStore);
++  CHECK_LE(byte_length, i::JSArrayBuffer::kMaxByteLength);
++  ENTER_V8_NO_SCRIPT_NO_EXCEPTION(i_isolate);
++  std::unique_ptr<i::BackingStoreBase> backing_store =
++      i::BackingStore::Allocate(i_isolate, byte_length,
++                                i::SharedFlag::kNotShared,
++                                i::InitializedFlag::kUninitialized);
++  if (!backing_store) {
++    return nullptr;
++  }
++  return std::unique_ptr<v8::BackingStore>(
++      static_cast<v8::BackingStore*>(backing_store.release()));
++}
++
+ std::unique_ptr<v8::BackingStore> v8::SharedArrayBuffer::NewBackingStore(
+     void* data, size_t byte_length, v8::BackingStore::DeleterCallback deleter,
+     void* deleter_data) {
+diff --git a/lib/internal/buffer.js b/lib/internal/buffer.js
+index fbe9de24..23df382f 100644
+--- a/lib/internal/buffer.js
++++ b/lib/internal/buffer.js
+@@ -30,7 +30,7 @@ const {
+   hexWrite,
+   ucs2Write,
+   utf8Write,
+-  getZeroFillToggle,
++  createUnsafeArrayBuffer,
+ } = internalBinding('buffer');
+ 
+ const {
+@@ -1053,26 +1053,14 @@ function markAsUntransferable(obj) {
+   obj[untransferable_object_private_symbol] = true;
+ }
+ 
+-// A toggle used to access the zero fill setting of the array buffer allocator
+-// in C++.
+-// |zeroFill| can be undefined when running inside an isolate where we
+-// do not own the ArrayBuffer allocator.  Zero fill is always on in that case.
+-let zeroFill = getZeroFillToggle();
+ function createUnsafeBuffer(size) {
+-  zeroFill[0] = 0;
+-  try {
++  if (size <= 64) {
++    // Allocated in heap, doesn't call backing store anyway
++    // This is the same that the old impl did implicitly, but explicit now
+     return new FastBuffer(size);
+-  } finally {
+-    zeroFill[0] = 1;
+   }
+-}
+ 
+-// The connection between the JS land zero fill toggle and the
+-// C++ one in the NodeArrayBufferAllocator gets lost if the toggle
+-// is deserialized from the snapshot, because V8 owns the underlying
+-// memory of this toggle. This resets the connection.
+-function reconnectZeroFillToggle() {
+-  zeroFill = getZeroFillToggle();
++  return new FastBuffer(createUnsafeArrayBuffer(size));
+ }
+ 
+ module.exports = {
+@@ -1082,5 +1070,4 @@ module.exports = {
+   createUnsafeBuffer,
+   readUInt16BE,
+   readUInt32BE,
+-  reconnectZeroFillToggle,
+ };
+diff --git a/lib/internal/process/pre_execution.js b/lib/internal/process/pre_execution.js
+index 4795be82..f95ab3de 100644
+--- a/lib/internal/process/pre_execution.js
++++ b/lib/internal/process/pre_execution.js
+@@ -16,7 +16,6 @@ const {
+   getOptionValue,
+   refreshOptions,
+ } = require('internal/options');
+-const { reconnectZeroFillToggle } = require('internal/buffer');
+ const {
+   defineOperation,
+   exposeInterface,
+@@ -56,7 +55,6 @@ function prepareExecution(options) {
+   const { expandArgv1, initializeModules, isMainThread } = options;
+ 
+   refreshRuntimeOptions();
+-  reconnectZeroFillToggle();
+ 
+   // Patch the process object and get the resolved main entry point.
+   const mainEntry = patchProcessObject(expandArgv1);
+diff --git a/src/api/environment.cc b/src/api/environment.cc
+index de58a26f..cbe77199 100644
+--- a/src/api/environment.cc
++++ b/src/api/environment.cc
+@@ -104,8 +104,9 @@ void* NodeArrayBufferAllocator::Allocate(size_t size) {
+     ret = allocator_->Allocate(size);
+   else
+     ret = allocator_->AllocateUninitialized(size);
+-  if (LIKELY(ret != nullptr))
++  if (ret != nullptr) [[likely]] {
+     total_mem_usage_.fetch_add(size, std::memory_order_relaxed);
++  }
+   return ret;
+ }
+ 
+diff --git a/src/node_buffer.cc b/src/node_buffer.cc
+index 4bc7336e..cf284fd6 100644
+--- a/src/node_buffer.cc
++++ b/src/node_buffer.cc
+@@ -72,7 +72,6 @@ using v8::Object;
+ using v8::SharedArrayBuffer;
+ using v8::String;
+ using v8::Uint32;
+-using v8::Uint32Array;
+ using v8::Uint8Array;
+ using v8::Value;
+ 
+@@ -1207,7 +1206,7 @@ static void EncodeInto(const FunctionCallbackInfo<Value>& args) {
+   size_t dest_length = dest->ByteLength();
+ 
+   // results = [ read, written ]
+-  Local<Uint32Array> result_arr = args[2].As<Uint32Array>();
++  Local<v8::Uint32Array> result_arr = args[2].As<v8::Uint32Array>();
+   uint32_t* results = reinterpret_cast<uint32_t*>(
+       static_cast<char*>(result_arr->Buffer()->Data()) +
+       result_arr->ByteOffset());
+@@ -1261,35 +1260,6 @@ void SetBufferPrototype(const FunctionCallbackInfo<Value>& args) {
+   env->set_buffer_prototype_object(proto);
+ }
+ 
+-void GetZeroFillToggle(const FunctionCallbackInfo<Value>& args) {
+-  Environment* env = Environment::GetCurrent(args);
+-  NodeArrayBufferAllocator* allocator = env->isolate_data()->node_allocator();
+-  Local<ArrayBuffer> ab;
+-  // It can be a nullptr when running inside an isolate where we
+-  // do not own the ArrayBuffer allocator.
+-  if (allocator == nullptr) {
+-    // Create a dummy Uint32Array - the JS land can only toggle the C++ land
+-    // setting when the allocator uses our toggle. With this the toggle in JS
+-    // land results in no-ops.
+-    ab = ArrayBuffer::New(env->isolate(), sizeof(uint32_t));
+-  } else {
+-    uint32_t* zero_fill_field = allocator->zero_fill_field();
+-    std::unique_ptr<BackingStore> backing =
+-        ArrayBuffer::NewBackingStore(zero_fill_field,
+-                                     sizeof(*zero_fill_field),
+-                                     [](void*, size_t, void*) {},
+-                                     nullptr);
+-    ab = ArrayBuffer::New(env->isolate(), std::move(backing));
+-  }
+-
+-  ab->SetPrivate(
+-      env->context(),
+-      env->untransferable_object_private_symbol(),
+-      True(env->isolate())).Check();
+-
+-  args.GetReturnValue().Set(Uint32Array::New(ab, 0, 1));
+-}
+-
+ void DetachArrayBuffer(const FunctionCallbackInfo<Value>& args) {
+   Environment* env = Environment::GetCurrent(args);
+   if (args[0]->IsArrayBuffer()) {
+@@ -1357,6 +1327,54 @@ void CopyArrayBuffer(const FunctionCallbackInfo<Value>& args) {
+   memcpy(dest, src, bytes_to_copy);
+ }
+ 
++// Converts a number parameter to size_t suitable for ArrayBuffer sizes
++// Could be larger than uint32_t
++// See v8::internal::TryNumberToSize and v8::internal::NumberToSize
++inline size_t CheckNumberToSize(Local<Value> number) {
++  CHECK(number->IsNumber());
++  double value = number.As<Number>()->Value();
++  // See v8::internal::TryNumberToSize on this (and on < comparison)
++  double maxSize = static_cast<double>(std::numeric_limits<size_t>::max());
++  CHECK(value >= 0 && value < maxSize);
++  size_t size = static_cast<size_t>(value);
++#ifdef V8_ENABLE_SANDBOX
++  CHECK_LE(size, kMaxSafeBufferSizeForSandbox);
++#endif
++  return size;
++}
++
++void CreateUnsafeArrayBuffer(const FunctionCallbackInfo<Value>& args) {
++  Environment* env = Environment::GetCurrent(args);
++  if (args.Length() != 1) {
++    env->ThrowRangeError("Invalid array buffer length");
++    return;
++  }
++
++  size_t size = CheckNumberToSize(args[0]);
++
++  Isolate* isolate = env->isolate();
++
++  Local<ArrayBuffer> buf;
++
++  NodeArrayBufferAllocator* allocator = env->isolate_data()->node_allocator();
++  // 0-length, or zero-fill flag is set, or building snapshot
++  if (size == 0 || per_process::cli_options->zero_fill_all_buffers ||
++      allocator == nullptr) {
++    buf = ArrayBuffer::New(isolate, size);
++  } else {
++    std::unique_ptr<BackingStore> store =
++        ArrayBuffer::NewBackingStoreForNodeLTS(isolate, size);
++    if (!store) {
++      // This slightly differs from the old behavior,
++      // as in v8 that's a RangeError, and this is an Error with code
++      return env->ThrowRangeError("Array buffer allocation failed");
++    }
++    buf = ArrayBuffer::New(isolate, std::move(store));
++  }
++
++  args.GetReturnValue().Set(buf);
++}
++
+ void Initialize(Local<Object> target,
+                 Local<Value> unused,
+                 Local<Context> context,
+@@ -1379,6 +1397,8 @@ void Initialize(Local<Object> target,
+ 
+   SetMethod(context, target, "detachArrayBuffer", DetachArrayBuffer);
+   SetMethod(context, target, "copyArrayBuffer", CopyArrayBuffer);
++  SetMethodNoSideEffect(
++      context, target, "createUnsafeArrayBuffer", CreateUnsafeArrayBuffer);
+ 
+   SetMethod(context, target, "swap16", Swap16);
+   SetMethod(context, target, "swap32", Swap32);
+@@ -1418,8 +1438,6 @@ void Initialize(Local<Object> target,
+   SetMethod(context, target, "hexWrite", StringWrite<HEX>);
+   SetMethod(context, target, "ucs2Write", StringWrite<UCS2>);
+   SetMethod(context, target, "utf8Write", StringWrite<UTF8>);
+-
+-  SetMethod(context, target, "getZeroFillToggle", GetZeroFillToggle);
+ }
+ 
+ }  // anonymous namespace
+@@ -1463,10 +1481,10 @@ void RegisterExternalReferences(ExternalReferenceRegistry* registry) {
+   registry->Register(StringWrite<HEX>);
+   registry->Register(StringWrite<UCS2>);
+   registry->Register(StringWrite<UTF8>);
+-  registry->Register(GetZeroFillToggle);
+ 
+   registry->Register(DetachArrayBuffer);
+   registry->Register(CopyArrayBuffer);
++  registry->Register(CreateUnsafeArrayBuffer);
+ }
+ 
+ }  // namespace Buffer
+-- 
+2.45.4
+
diff --git a/SPECS/nodejs/nodejs18.spec b/SPECS/nodejs/nodejs18.spec
@@ -6,7 +6,7 @@ Name:           nodejs18
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        18.20.3
-Release:        10%{?dist}
+Release:        11%{?dist}
 License:        BSD and MIT and Public Domain and NAIST-2003 and Artistic-2.0
 Group:          Applications/System
 Vendor:         Microsoft Corporation
@@ -29,6 +29,7 @@ Patch9:         CVE-2025-23166.patch
 Patch10:        CVE-2025-7656.patch
 Patch11:        CVE-2025-5889.patch
 Patch12:        CVE-2025-5222.patch
+Patch13:        CVE-2025-55131.patch
 BuildRequires:  brotli-devel
 BuildRequires:  coreutils >= 8.22
 BuildRequires:  gcc
@@ -129,6 +130,9 @@ make cctest
 %{_datadir}/systemtap/tapset/node.stp
 
 %changelog
+* Fri Jan 23 2026 Aditya Singh <v-aditysing@microsoft.com> - 18.20.3-11
+- Patch for CVE-2025-55131
+
 * Fri Nov 07 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 18.20.3-10
 - Patch for CVE-2025-5222
 
