Login Sign Up

CVE-2025-59465

7.5 HIGH
Denial of Service

📋 TL;DR

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash due to an unhandled TLSSocket ECONNRESET error, enabling remote denial of service. This affects Node.js applications that don't attach explicit error handlers to secure sockets. The vulnerability allows attackers to crash Node.js processes remotely.

💻 Affected Systems

Products:
  • Node.js
Versions: Specific versions not provided in CVE description, but likely affects multiple Node.js versions prior to December 2025 security releases
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Applications without explicit error handlers on secure sockets are vulnerable. The example shows missing error handlers on secureConnection events.

📦 What is this software?

Node.js by Nodejs

View all CVEs affecting Node.js →

Node.js by Nodejs

View all CVEs affecting Node.js →

Node.js by Nodejs

View all CVEs affecting Node.js →

Node.js by Nodejs

View all CVEs affecting Node.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage through repeated crashes, potentially affecting all Node.js applications on the affected server.

🟠

Likely Case

Intermittent service disruptions and application crashes requiring manual restarts.

🟢

If Mitigated

Graceful connection closure with logged errors but no service interruption.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires sending malformed HTTP/2 frames to vulnerable Node.js servers. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Node.js December 2025 security releases

Vendor Advisory: https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Restart Required: Yes

Instructions:

1. Check current Node.js version. 2. Update to the latest patched version from December 2025 security releases. 3. Restart all Node.js applications and services.

🔧 Temporary Workarounds

Add error handlers to secure sockets

all

Implement explicit error handlers for secureConnection events as shown in the CVE description

// Add to your Node.js server code:
server.on('secureConnection', socket => {
  socket.on('error', err => {
    console.log('Socket error:', err);
    socket.destroy();
  });
});

🧯 If You Can't Patch

  • Implement network-level protections like WAF rules to block malformed HTTP/2 traffic
  • Use load balancers with HTTP/2 protocol validation and connection limiting

🔍 How to Verify

Check if Vulnerable:

Check if your Node.js application lacks error handlers for secureConnection events and if using HTTP/2

Check Version:

node --version

Verify Fix Applied:

Verify Node.js version is from December 2025 security releases or later, and test with malformed HTTP/2 traffic

📡 Detection & Monitoring

Log Indicators:

  • Multiple ECONNRESET errors on TLSSocket
  • Unexpected Node.js process crashes
  • HTTP/2 connection failures

Network Indicators:

  • Malformed HTTP/2 HEADERS frames with oversized HPACK data
  • Repeated connection attempts to Node.js ports

SIEM Query:

source="nodejs" AND ("ECONNRESET" OR "TLSSocket error" OR "process crashed")

📊 Metadata

CVE ID: CVE-2025-59465
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
EPSS Score: 0.06% exploit probability (19.5th percentile)
Published: January 20, 2026
Last Updated: January 30, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59465, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)