CVE-2025-59465

CWE-400Uncontrolled Resource ConsumptionCWE-2488 documents7 sources
Severity
7.5HIGH
EPSS
0.1%
top 77.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nodejs NodeNodejs Node.js
Timeline
PublishedJan 20

Description

A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ```

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

CVEListV5nodejs/node4.04.*+18
NVDnodejs/node.js20.0.020.20.0+3
Alpinenodejs< 22.22.2-r0+1
Debiannodejs< 20.19.2+dfsg-1+deb13u1+1

🔴Vulnerability Details

4
OSV
CVE-2025-59465: A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node2026-01-20
CVEList
CVE-2025-59465: A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node2026-01-20
GHSA
GHSA-w2pg-hw7v-f7m9: A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node2026-01-20
OSV
CVE-2025-59465: A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node2026-01-20

📋Vendor Advisories

2
Red Hat
nodejs: Nodejs denial of service2026-01-20
Debian
CVE-2025-59465: nodejs - A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can caus...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-59465 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-59465 (HIGH CVSS 7.5) | A malformed `HTTP/2 HEADERS` frame | cvebase.io