CVE-2025-59466

CWE-248CWE-770Allocation without Limits7 documents7 sources
Severity
7.5HIGH
EPSS
0.0%
top 91.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nodejs NodeNodejs Node.js
Timeline
PublishedJan 20

Description

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5nodejs/node8.08.*+14
NVDnodejs/node.js20.0.020.20.0+3
Debiannodejs< 20.19.2+dfsg-1+deb13u1+1

🔴Vulnerability Details

3
CVEList
CVE-2025-59466: We have identified a bug in Node2026-01-20
OSV
CVE-2025-59466: We have identified a bug in Node2026-01-20
GHSA
GHSA-52xj-vx8w-46qj: We have identified a bug in Node2026-01-20

📋Vendor Advisories

2
Red Hat
nodejs: Nodejs denial of service2026-01-20
Debian
CVE-2025-59466: nodejs - We have identified a bug in Node.js error handling where "Maximum call stack siz...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-59466 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-59466 (HIGH CVSS 7.5) | We have identified a bug in Node.js | cvebase.io