CVE-2025-59466

Node.js

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-59466 describes a flaw within Node.js's error handling mechanisms. Specifically, when `async_hooks.createHook()` is active, "Maximum call stack size exceeded" errors become uncatchable. This prevents the application from gracefully handling the error via `process.on('uncaughtException')`, leading to an unrecoverable process termination. This vulnerability affects applications that utilize `AsyncLocalStorage` (in versions 20 and 22) or `async_hooks.createHook()` (in versions 20, 22, and 24). Under certain conditions involving deep recursion, these applications can become susceptible to denial-of-service crashes.

Description
-

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

1

  1. Node.js corrige una vulnerabilidad crítica (CVE-2025-59466) que puede tumbar prácticamente cualquier app en producción que use async_hooks, incluyendo Next.js, React Server Components y casi todos los APM. ⬇️🕵🏽‍♂️ #CybersecurityNews https://t.co/WVSaL6tHc8

    @Cris7ianJCC

    14 Jan 2026

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. Node.js just fixed a critical vulnerability where async_hooks stack overflows can crash almost any production app (CVE-2025-59466). This uncatchable error affects everything from Next.js to APM tools, capable of triggering an instant DoS. https://t.co/waW6QxXZZb

    @Dhanush_Nehru

    14 Jan 2026

    149 Impressions

    0 Retweets

    3 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  3. 🚨 Critical Node.js Bug (CVE-2025-59466) Can Crash “Virtually Every” Production App via async_hooks Node.js fixed CVE-2025-59466 (CVSS 7.5), where a stack-overflow in user-controlled recursion with async_hooks/AsyncLocalStorage enabled can force Node to exit with code 7 ins

    @ThreatSynop

    14 Jan 2026

    59 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. ⚠️ Node.js users: A severe vulnerability in CVE-2025-59466 can crash your servers with a denial-of-service attack if you're using async_hooks. Here's what you need to know: WHAT PEOPLE SAW Users relying on Node.js for server operations see their applications function as http

    @photogrim_

    14 Jan 2026

    86 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨 Node.js fixed a DoS bug where apps crash instead of throwing a catchable error. 🧩 CVE-2025-59466 impacts Next.js, React Server Components, and most APM tools via AsyncLocalStorage. When async_hooks is enabled, deep recursion can force a hard process exit, dropping servic

    @TheHackersNews

    14 Jan 2026

    8613 Impressions

    25 Retweets

    67 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.