CVE-2025-59466

Published Jan 20, 2026

Last updated a month ago

CVSS high 7.5
Node.js

Overview

Description
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
Source
support@hackerone.com
NVD status
Analyzed
Products
node.js

Risk scores

CVSS 3.1

Type
Primary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

CVSS 3.0

Type
Secondary
Base score
5.9
Impact score
3.6
Exploitability score
2.2
Vector string
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
MEDIUM

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-248

Social media

Hype score
Not currently trending

  1. ⚠️ Critical Update: OpenClaw requires Node.js 22.12.0+ to patch CVE-2025-59466 (DoS) & CVE-2026-21636 (Permission bypass). If you're on older LTS, your gateway is vulnerable to identity exfiltration. Verify: node --version Fix: openclaw --update #OpenClaw #SecurityForce

    @MrVibeCoder

    13 Feb 2026

    50 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Node.js em risco! ⚠️ CVE-2025-59466: async_hooks causa DoS em produção. Atualize para 20.20.0+, 22.22.0+ ou 24.13.0+ urgente! #Nodejs #Security #DevOps https://t.co/YLT1A2AVjU

    @multiverso_info

    20 Jan 2026

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. kusanagi-nodejs22 Module Update 22.22.0-1 KUSANAGI 9 modules have been updated. The updated modules are as follows: nodejs 22.22.0-1 This update includes support for vulnerability(CVE-2025-59465, CVE-2025-55132, CVE-2025-55130, CVE-2025-59466,... https://t.co/Eq9v5q9WRi

    @kusanagi_saya

    20 Jan 2026

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🐰【2026/01/13 公開】🐰 Node.js Projectが延期していたセキュリティリリースを公開。Node.js 20.20.0 / 22.22.0 / 24.13.0 / 25.3.0で計8件(High 3件含む)に対応し、async_hooksのDoS(CVE-2025-59466)は“mitigation(緩和)”として同

    @mt202505

    18 Jan 2026

    82 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 严重的 Node.js 漏洞可能通过 async_hooks 导致服务器崩溃 Stack Overflow Node.js 发布了更新,修复了由 async_hooks 堆栈崩溃引起的严重 DoS 缺陷(编号为 CVE-2025-59466),影响了大多数生产应用程序。 https://t.co/F3EJX8nPVR

    @Sixtytwo66

    16 Jan 2026

    71 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Node.js corrige una vulnerabilidad crítica (CVE-2025-59466) que puede tumbar prácticamente cualquier app en producción que use async_hooks, incluyendo Next.js, React Server Components y casi todos los APM. ⬇️🕵🏽‍♂️ #CybersecurityNews https://t.co/WVSaL6tHc8

    @Cris7ianJCC

    14 Jan 2026

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  7. Node.js just fixed a critical vulnerability where async_hooks stack overflows can crash almost any production app (CVE-2025-59466). This uncatchable error affects everything from Next.js to APM tools, capable of triggering an instant DoS. https://t.co/waW6QxXZZb

    @Dhanush_Nehru

    14 Jan 2026

    149 Impressions

    0 Retweets

    3 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  8. 🚨 Critical Node.js Bug (CVE-2025-59466) Can Crash “Virtually Every” Production App via async_hooks Node.js fixed CVE-2025-59466 (CVSS 7.5), where a stack-overflow in user-controlled recursion with async_hooks/AsyncLocalStorage enabled can force Node to exit with code 7 ins

    @ThreatSynop

    14 Jan 2026

    59 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. ⚠️ Node.js users: A severe vulnerability in CVE-2025-59466 can crash your servers with a denial-of-service attack if you're using async_hooks. Here's what you need to know: WHAT PEOPLE SAW Users relying on Node.js for server operations see their applications function as http

    @photogrim_

    14 Jan 2026

    86 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 🚨 Node.js fixed a DoS bug where apps crash instead of throwing a catchable error. 🧩 CVE-2025-59466 impacts Next.js, React Server Components, and most APM tools via AsyncLocalStorage. When async_hooks is enabled, deep recursion can force a hard process exit, dropping servic

    @TheHackersNews

    14 Jan 2026

    8613 Impressions

    25 Retweets

    67 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.CVE-2026-21637
  2. A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase.CVE-2026-21636
  3. A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ```CVE-2025-59465
  4. A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.CVE-2025-55130
  5. A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.CVE-2025-55132

References

Sources include official advisories and independent security research.