CVE-2025-59465

Published Jan 20, 2026

Last updated a month ago

CVSS high 7.5

Overview

Description
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ```
Source
support@hackerone.com
NVD status
Analyzed
Products
node.js

Risk scores

CVSS 3.0

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-400

Social media

Hype score
Not currently trending

  1. SUSE and openSUSE release Node.js 20.20.0 security update fixing multiple flaws, including CVE-2026-22036 and CVE-2025-59465 affecting TLSSocket and unsafe buffers. Admins should update now. #Nodejs https://t.co/XrTjLqZXJM

    @threatcluster

    12 Feb 2026

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. ⚠️ Vulnerabilidades en Node.js ❗ CVE-2025-59465 ❗ CVE-2025-55131 ❗ CVE-2025-55130 ➡️ Más info: https://t.co/f2f9WvQE7y https://t.co/4B6X02leVC

    @CERTpy

    20 Jan 2026

    100 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  3. kusanagi-nodejs22 Module Update 22.22.0-1 KUSANAGI 9 modules have been updated. The updated modules are as follows: nodejs 22.22.0-1 This update includes support for vulnerability(CVE-2025-59465, CVE-2025-55132, CVE-2025-55130, CVE-2025-59466,... https://t.co/Eq9v5q9WRi

    @kusanagi_saya

    20 Jan 2026

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. kusanagi-nodejs22 モジュール更新情報 22.22.0-1 KUSANAGI 9 を構成している各モジュールのアップデートを行いました。 アップデートにより適用される各モジュールのバージョンは、以下のとおりとなります。 nodejs 22

    @kusanagi_saya

    20 Jan 2026

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Node.js January 13, 2026 Security Releases https://t.co/AJE4YZ4bd1 CVE-2025-55131 Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled CVE-2025-55130 Bypass filesystem permissions using symlinks CVE-2025-59465 HTTP/2 server crashes with unhandled error &

    @oss_security

    15 Jan 2026

    1677 Impressions

    3 Retweets

    15 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  6. 🚀 Node.js v20.20.0 がリリースされました。 📅 リリース日: 2026-01-13 📦 種別: patch ✨ 主な変更点: • lib: 許可モデルが有効な場合にfutimesを無効化 (CVE-2025-55132) • lib: TLSSocketのデフォルトエラーハンドラを追加 (

    @darthnegi

    13 Jan 2026

    153 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚀 Node.js v22.22.0 がリリースされました。 📅 リリース日: 2026-01-13 📦 種別: patch ✨ 主な変更点: • c-aresをv1.34.6に更新 • undiciを6.23.0に更新 🔧 重要な修正: • (CVE-2025-59465) TLSSocketのデフォルトエラーハンド

    @darthnegi

    13 Jan 2026

    159 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 🚀 Node.js v24.13.0 がリリースされました。 📅 リリース日: 2026-01-13 📦 種別: patch ✨ 主な変更点: • c-aresをv1.34.6に更新 • undiciを7.18.2に更新 🔧 重要な修正: • (CVE-2025-59465) TLSSocketのデフォルトエラーハンド

    @darthnegi

    13 Jan 2026

    147 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. 🚀 Node.js v25.3.0 がリリースされました。 📅 リリース日: 2026-01-13 📦 種別: minor ✨ 主な変更点: • c-aresをv1.34.6にアップデート • undiciを7.18.2にアップデート 🔧 重要な修正: • lib: TLSSocketのデフォルトエラー

    @darthnegi

    13 Jan 2026

    127 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.CVE-2026-21637
  2. A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase.CVE-2026-21636
  3. We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.CVE-2025-59466
  4. A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.CVE-2025-59464
  5. A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.CVE-2025-55132

References

Sources include official advisories and independent security research.