Denial-of-Service Vulnerability in Node.js Affects Multiple Versions
CVE-2025-59466

5.9MEDIUM

Key Information:

Vendor

Nodejs

Status
Node
Vendor
CVE Published:
20 January 2026

Badges

๐Ÿ“ฐ News Worthy

What is CVE-2025-59466?

A flaw in Node.js error handling has been discovered, where enabling 'async_hooks.createHook()' leads to a scenario where 'Maximum call stack size exceeded' errors become uncatchable. This results in application crashes without reaching the 'uncaughtException' handler. As a consequence, applications that utilize 'AsyncLocalStorage' and specific versions of 'async_hooks.createHook()' are left exposed, allowing for denial-of-service attacks caused by deep recursion under particular conditions. Developers are urged to review their applications for these vulnerabilities and implement necessary safeguards.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

node 20.19.6

node 22.21.1

node 24.12.0

News Articles

favicon imageThe Hacker News

Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow

Node.js released updates fixing a critical DoS flaw caused by async_hooks stack crashes, tracked as CVE-2025-59466, impacting most production apps.

3 weeks ago

References

https://nodejs.org/en/blog/vulnerability/december-2025-se...

CVSS V3.0

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • ๐Ÿ“ฐ

    First article discovered by The Hacker News

  • Vulnerability Reserved

JSON
.