CVE-2025-59466

Name of the Vulnerable Software and Affected Versions Node.js versions 8.x through 18.x Node.js versions 20.x through 20.20.0 Node.js versions 22.x through 22.22.0 Node.js versions 24.x through 24.13.0 Node.js versions 25.x through 25.3.0

Description A critical issue exists in Node.js related to the async hooks module, potentially leading to denial-of-service (DoS) conditions. When async hooks.createHook() is enabled, "Maximum call stack size exceeded" errors become uncatchable, causing the Node.js process to terminate unexpectedly instead of triggering standard error handling mechanisms like process.on('uncaughtException'). This is due to uncontrolled recursion. Applications utilizing AsyncLocalStorage are particularly vulnerable. The vulnerability affects a wide range of frameworks and application performance monitoring (APM) tools. Exploitation of this issue can result in unrecoverable crashes, effectively causing a DoS. The issue impacts nearly every production Node.js application.

Recommendations Update to Node.js version 20.20.0 or later. Update to Node.js version 22.22.0 or later. Update to Node.js version 24.13.0 or later. Update to Node.js version 25.3.0 or later. For versions 8.x through 18.x, update to a supported version.