Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-59466

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.

Published

2026-01-20T21:16:04.110

Last Modified

2026-01-30T20:25:11.810

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-248

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nodejs	node.js	< 20.20.0	Yes
Application	nodejs	node.js	< 22.22.0	Yes
Application	nodejs	node.js	< 24.13.0	Yes
Application	nodejs	node.js	< 25.3.0	Yes

References

https://nodejs.org/en/blog/vulnerability/december-2025-security-releases Release Notes, Vendor Advisory ([email protected])