What is CVE-2025-59466?

A high-severity denial-of-service vulnerability has been identified in Node.js, specifically affecting error handling. This can cause applications to crash under certain conditions, and immediate remediation is necessary.

What is the severity of CVE-2025-59466?

CVE-2025-59466 has a severity rating of HIGH with a CVSS base score of 7.5.

CVE-2025-59466 | High Vulnerability in Node.js

We have identified a bug in Node.js error handling where 'Maximum call stack size exceeded' errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions. This vulnerability is classified as high severity with a CVSS score of 7.5, indicating that it poses a significant risk to affected systems.

Risk to organizations includes potential service outages and disruptions that can severely impact operational continuity. Given that the vulnerability affects the Node.js environment utilized in many applications, it is imperative for developers and system administrators to take immediate action to mitigate risks.

Currently, there are no known exploits available for this vulnerability, but its exploitability is rated high due to the ease of triggering the conditions that lead to a denial-of-service state. Organizations should prioritize patching immediately to prevent any potential disruptions.

With the publication of this vulnerability, organizations using Node.js must assess their deployment and determine the urgency of applying available patches or implementing workarounds to safeguard their applications.

Vulnerability Details

This vulnerability allows a denial-of-service condition due to uncatchable errors in Node.js error handling. The severity is rated as high, with a CVSS score of 7.5. The affected product is Node.js, specifically versions 20.0.0 to 20.20.0, 22.0.0 to 22.22.0, 24.0.0 to 24.13.0, and 25.0.0 to 25.3.0. The publication date for this vulnerability was January 20, 2026.

Technical Analysis

The root cause of this vulnerability stems from how Node.js handles errors when `async_hooks.createHook()` is enabled. Instead of allowing the application to recover gracefully, the process crashes, leading to a denial-of-service state. The attack vector is network-based, with low complexity and no privileges required for exploitation. User interaction is not necessary for an attack to succeed.

The impact on availability is high, as the crashing of the application can lead to significant downtime and service interruptions, while confidentiality and integrity impacts are negligible in this context.

Risk & Impact Analysis

Real-world deployment risks include potential service outages, which could affect user trust and customer satisfaction. Organizations using Node.js in production environments must evaluate their exposure to this vulnerability and implement patches as soon as they become available.

The urgency to address this vulnerability is high, as the CVSS score indicates a significant risk. Organizations should prioritize remediation based on the potential blast radius and the critical nature of the services impacted by the crash.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The vulnerable versions of Node.js include 20.0.0 to 20.20.0, 22.0.0 to 22.22.0, 24.0.0 to 24.13.0, and 25.0.0 to 25.3.0. Organizations should ensure their systems are updated to the latest versions to mitigate the risks associated with this vulnerability.

Mitigation & Remediation

Organizations should prioritize patching immediately. Upgrading to the latest version of Node.js that addresses this vulnerability is essential. If a patch is unavailable, consider implementing workarounds such as disabling the use of `async_hooks.createHook()` until a proper fix is applied.

Additional configuration hardening and network controls should be applied to limit exposure to potential denial-of-service attacks.

Detection Guidance

Monitoring log indicators for unexpected termination of Node.js processes and analyzing behavioral anomalies in application performance can help in early detection of this vulnerability's exploitation.

AppSecure Threat Intelligence Insight

The long-term significance of this vulnerability underscores the importance of robust error handling in Node.js environments. Security teams should learn from this incident to enhance their defensive posture against similar bugs in the future.

Organizations are encouraged to adopt a proactive approach to vulnerability management by continuously monitoring for updates and integrating security testing in their development practices.

For comprehensive security assessments, organizations may consider engaging in penetration testing services to identify similar weaknesses.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-59466: High Vulnerability in Node.js