CVE-2025-59464 is a vulnerability identified in Node.js version 24.12.0 related to its integration with OpenSSL, specifically in the handling of X.509 certificate fields during TLS connections. When an application calls socket.getPeerCertificate(true), the process converts certificate fields to UTF-8 strings but fails to free the allocated memory buffers afterward. This results in a memory leak that accumulates with each TLS connection where this function is invoked. Remote clients can exploit this by repeatedly establishing TLS connections, causing the server's memory usage to grow steadily over time. This memory exhaustion can degrade performance and eventually lead to denial of service (DoS) conditions. The vulnerability does not affect confidentiality or integrity since it does not allow data leakage or modification, but it impacts availability. The CVSS v3.0 score is 6.5 (medium severity) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating network attack vector, low complexity, no privileges required, user interaction needed, unchanged scope, no confidentiality or integrity impact, but high impact on availability. No known exploits are currently reported in the wild, and no patches are linked yet. The CWE classification is CWE-400 (Uncontrolled Resource Consumption). This vulnerability is particularly relevant for Node.js applications that handle many TLS connections and call getPeerCertificate(true), such as web servers, API gateways, or microservices using mutual TLS authentication. Over time, the memory leak can cause resource exhaustion, leading to crashes or degraded service.

For European organizations, this vulnerability poses a risk primarily to the availability of services relying on Node.js 24.12.0 that perform TLS client certificate inspection via socket.getPeerCertificate(true). Industries with high TLS traffic such as finance, e-commerce, telecommunications, and public sector services could experience degraded performance or outages due to memory exhaustion. This can disrupt business operations, cause downtime, and impact customer trust. Since the vulnerability requires repeated TLS connections from remote clients, automated attacks or misconfigured clients could unintentionally trigger the leak. The lack of confidentiality or integrity impact reduces the risk of data breaches, but denial of service can still have significant operational and reputational consequences. Organizations with large-scale Node.js deployments or those using mutual TLS for authentication are most vulnerable. The absence of known exploits in the wild provides some time for mitigation, but proactive measures are necessary to prevent exploitation. The impact is compounded in cloud or containerized environments where resource limits are strict, potentially causing service restarts or failures.

1. Upgrade Node.js to a version where this vulnerability is patched as soon as it becomes available. Monitor Node.js release notes and security advisories closely. 2. If immediate upgrade is not possible, implement rate limiting on TLS connection attempts to reduce the frequency of calls to socket.getPeerCertificate(true), thereby slowing memory leak progression. 3. Monitor application memory usage and set alerts for abnormal growth patterns indicative of leaks. 4. Review application code to minimize unnecessary calls to socket.getPeerCertificate(true), especially with the 'true' argument that triggers full certificate chain retrieval. 5. Consider deploying Web Application Firewalls (WAFs) or network-level protections to detect and block suspicious repeated TLS connection attempts from single clients. 6. Use container orchestration or process supervisors to automatically restart Node.js processes before memory exhaustion causes crashes. 7. Conduct penetration testing and stress testing simulating repeated TLS connections to evaluate the impact and effectiveness of mitigations. 8. Educate development and operations teams about this vulnerability to ensure awareness and timely response.