Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2025-59466

Опубликовано: 20 янв. 2026
Источник: nvd
CVSS3: 5.9
CVSS3: 7.5
EPSS Низкий

Описание

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when async_hooks.createHook() is enabled. Instead of reaching process.on('uncaughtException'), the process terminates, making the crash unrecoverable. Applications that rely on AsyncLocalStorage (v22, v20) or async_hooks.createHook() (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Версия от 20.0.0 (включая) до 20.20.0 (исключая)
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Версия от 22.0.0 (включая) до 22.22.0 (исключая)
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Версия от 24.0.0 (включая) до 24.13.0 (исключая)
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Версия от 25.0.0 (включая) до 25.3.0 (исключая)

EPSS

Процентиль: 7%
0.00027
Низкий

5.9 Medium

CVSS3

7.5 High

CVSS3

Дефекты

CWE-248

Связанные уязвимости

ubuntu логотип

CVE-2025-59466

CVSS3: 7.5
ubuntu
2 месяца назад

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.

redhat логотип

CVE-2025-59466

CVSS3: 5.9
redhat
2 месяца назад

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.

debian логотип

CVE-2025-59466

CVSS3: 7.5
debian
2 месяца назад

We have identified a bug in Node.js error handling where "Maximum call ...

github логотип

GHSA-52xj-vx8w-46qj

CVSS3: 5.9
github
2 месяца назад

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.

fstec логотип

BDU:2026-00456

CVSS3: 7.5
fstec
2 месяца назад

Уязвимость функции createHook() модуля async_hooks программной платформы Node.js, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 7%
0.00027
Низкий

5.9 Medium

CVSS3

7.5 High

CVSS3

Дефекты

CWE-248