Post

Memory Buffer Leaks in Node.js Streams: Hidden Risks and How to Avoid Them

How mishandling Node.js streams can cause memory buffer leaks, stale data exposure, and how to fix them.

Posted
By Amar Khamkar
4 min read
Memory Buffer Leaks in Node.js Streams: Hidden Risks and How to Avoid Them

Streams in Node.js are incredibly powerful — they let you process data efficiently without loading everything into memory. But if they’re mishandled, you risk memory buffer leaks, where old data resurfaces in new responses.

This can lead to:

  • Corrupted API responses
  • Sensitive information leaking into server logs
  • Even other users data or secrets accidentally being exposed
  • Hours of debugging headaches

Let’s break this down with an example and then see how to fix it.

🚨 The Danger of Buffer.allocUnsafe

Node.js uses Buffer.allocUnsafe(size) internally in places like zlib.gunzip.
This is fast, but it does not clear memory — meaning it can reuse old memory blocks.

👉 If you don’t overwrite the full buffer, stale data remains and can “leak” into your output.

Demo: Stale Memory Leak

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

// ❌ Demo: Showing stale memory leak
// Step 1: Write a large distinctive pattern
const secret = Buffer.from("🔥🔥🔥SUPER_SECRET🔥🔥🔥".repeat(100));
console.log("Original Secret:", secret.toString().slice(0, 50) + "...");

// Step 2: Force memory pressure
let garbage = [];
for (let i = 0; i < 100000; i++) {
  garbage.push(Buffer.from("garbage"));
}
garbage = null;

// Step 3: Unsafe allocation (uninitialized memory)
const leaky = Buffer.allocUnsafe(secret.length);
console.log("Leaky Buffer:", leaky.toString().slice(0, 50) + "...");

Output:

1
2

Buffer 1: SECRET_DATA
Buffer 2 (dirty): 0�c0▒▒▒

That gibberish itself is proof that Node.js did not zero out the memory — it’s showing raw, uninitialized bytes left over from previous allocations.

Even though we allocated a new buffer, Node.js reused the same memory block, causing old data (or arbitrary garbage) to resurface.

This isn’t a problem if you fully overwrite buf2. But if you only partially fill it (for example, due to incorrect stream handling), stale data will remain and may leak into your output.

🌐 Real-World Problem: Handling API Response Streams

Many third-party APIs return data as a stream (for example, https.get, AWS SDKs, Google APIs).

If you mishandle this stream:

  • Not consuming all chunks
  • Not awaiting asynchronous reads
  • Concatenating buffers incorrectly

… you risk ending up with partial data + old memory content.

❌ Wrong Way (Naive Handling)

1
2
3
4
5
6
7
8
9
10
11
12
13
14

import https from "https";

function fetchData(url) {
  return new Promise((resolve, reject) => {
    https.get(url, (res) => {
      let data = "";
      res.on("data", (chunk) => {
        data += chunk; // ❌ mixing Buffers with strings!
      });
      res.on("end", () => resolve(data));
      res.on("error", reject);
    });
  });
}

This approach is unsafe because:

  • Buffers are being coerced into strings
  • Multibyte characters may get split across chunks
  • Partial old data can sneak in when decoding

✅ Correct Way: Consume the Stream with for await...of

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

import https from "https";

async function fetchData(url) {
  return new Promise((resolve, reject) => {
    https.get(url, async (res) => {
      try {
        const chunks = [];
        for await (const chunk of res) {
          chunks.push(chunk); // always handle Buffers
        }
        const buffer = Buffer.concat(chunks);
        resolve(buffer.toString("utf8")); // safe decoding
      } catch (err) {
        reject(err);
      }
    });
  });
}

Here we:

  • Use for await...of to consume the entire stream
  • Store raw Buffers in an array
  • Combine them with Buffer.concat(), which correctly allocates fresh memory

🎭 Streams with Compression (zlib / gunzip)

The risk is higher with compressed streams, since zlib.gunzip uses Buffer.allocUnsafe.

Safe Usage

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

import { createGunzip } from "zlib";
import { pipeline } from "stream/promises";
import https from "https";

async function fetchAndUnzip(url) {
  return new Promise((resolve, reject) => {
    https.get(url, async (res) => {
      try {
        const chunks = [];
        const gunzip = createGunzip();

        await pipeline(res, gunzip);

        for await (const chunk of gunzip) {
          chunks.push(chunk);
        }

        const buffer = Buffer.concat(chunks);
        resolve(buffer.toString("utf8"));
      } catch (err) {
        reject(err);
      }
    });
  });
}

Here, we pipe the response through gunzip, and again collect all buffers safely.

✅ Best Practices to Avoid Buffer Leaks

  • Always consume the stream fully (for await...of or pipeline)
  • Never mix Buffers with strings mid-stream
  • Use Buffer.concat(chunks) — don’t manually slice or reuse old buffers
  • For sensitive data, prefer Buffer.alloc() (zero-filled) instead of Buffer.allocUnsafe()
  • Be cautious when decompressing — partial/incomplete streams can expose old memory contents

📝 Final Thoughts

Streams in Node.js are powerful, but subtle mistakes can cause old memory contents to reappear in your outputs or logs.

  • Always handle streams properly
  • Be careful with compression/decompression
  • Remember that Buffer.allocUnsafe is unsafe for a reason
Backend engineering, NODEJS
nodejs streams buffer memory debugging zlib
This post is licensed under CC BY 4.0 by the author.