diff --git a/.github/sync-node-ncrypto.json b/.github/sync-node-ncrypto.json
index 5e32169..027b99b 100644
--- a/.github/sync-node-ncrypto.json
+++ b/.github/sync-node-ncrypto.json
@@ -1,3 +1,3 @@
 {
-  "node_commit": "8385efc01343a835e3a0efe05611f44272cbb413"
+  "node_commit": "25f80fb7647d2c22b26359f4a5945a8c2b7efff3"
 }
diff --git a/src/ncrypto.cpp b/src/ncrypto.cpp
index 5e450e2..a6fa4de 100644
--- a/src/ncrypto.cpp
+++ b/src/ncrypto.cpp
@@ -156,7 +156,12 @@ DataPointer DataPointer::SecureAlloc(size_t len) {
 #ifndef OPENSSL_IS_BORINGSSL
   auto ptr = OPENSSL_secure_zalloc(len);
   if (ptr == nullptr) return {};
-  return DataPointer(ptr, len, true);
+  // OPENSSL_secure_zalloc transparently falls back to a regular allocation
+  // when the secure heap is not initialized or is exhausted. Reflect the
+  // actual provenance of the pointer so that reset() routes to the correct
+  // free function (OPENSSL_secure_clear_free vs. OPENSSL_clear_free) and
+  // callers of isSecure() get a truthful answer.
+  return DataPointer(ptr, len, CRYPTO_secure_allocated(ptr) == 1);
 #else
   // BoringSSL does not implement the OPENSSL_secure_zalloc API.
   auto ptr = OPENSSL_malloc(len);