Denial-of-Service Vulnerability in Node.js Affects Multiple Versions
CVE-2025-59466

5.9MEDIUM

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 20 January 2026

Badges

📰 News Worthy

What is CVE-2025-59466?

A flaw in Node.js error handling has been discovered, where enabling 'async_hooks.createHook()' leads to a scenario where 'Maximum call stack size exceeded' errors become uncatchable. This results in application crashes without reaching the 'uncaughtException' handler. As a consequence, applications that utilize 'AsyncLocalStorage' and specific versions of 'async_hooks.createHook()' are left exposed, allowing for denial-of-service attacks caused by deep recursion under particular conditions. Developers are urged to review their applications for these vulnerabilities and implement necessary safeguards.

Affected Version(s)

node 20.19.6

node 22.21.1

node 24.12.0

News Articles

The Hacker News

CVE-2025-59466

Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow

Node.js released updates fixing a critical DoS flaw caused by async_hooks stack crashes, tracked as CVE-2025-59466, impacting most production apps.

References

https://nodejs.org/en/blog/vulnerability/december-2025-se...

CVSS V3.0

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 20, 2026
📰
First article discovered by The Hacker News
Jan 14, 2026
Vulnerability Reserved
Sep 16, 2025

CVE-2025-59466 Data

JSON

Nodejs

Badges

What is CVE-2025-59466?

Affected Version(s)

News Articles

Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow

References

CVSS V3.0

Timeline