CVE-2025-59466 – This vulnerability in Node.js causes applicatio... (How to Fix)

Q: What is the severity of CVE-2025-59466?

CVE-2025-59466 has a CVSS score of 7.5 (HIGH). This vulnerability in Node.js causes applications to crash unrecoverably when deep recursion triggers 'Maximum call stack size exceeded' errors while async_hooks.createHook() is enabled. The error bypasses normal uncaughtException handlers, leading to immediate process termination. Applications using AsyncLocalStorage (Node.js v20, v22) or async_hooks.createHook() (v20, v22, v24) are affected.

📋 TL;DR

This vulnerability in Node.js causes applications to crash unrecoverably when deep recursion triggers 'Maximum call stack size exceeded' errors while async_hooks.createHook() is enabled. The error bypasses normal uncaughtException handlers, leading to immediate process termination. Applications using AsyncLocalStorage (Node.js v20, v22) or async_hooks.createHook() (v20, v22, v24) are affected.

💻 Affected Systems

Products:

Node.js

Versions: v20.x, v22.x, v24.x

Operating Systems: All platforms running affected Node.js versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when async_hooks.createHook() is enabled or AsyncLocalStorage is used. Default Node.js installations without these features are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial-of-service where Node.js processes crash and cannot restart automatically, causing service disruption until manual intervention.

🟠

Likely Case

Intermittent crashes triggered by legitimate code paths with deep recursion, leading to service instability and potential data loss in active transactions.

🟢

If Mitigated

With proper monitoring and restart mechanisms, crashes are detected and services restored, but with brief downtime and potential transaction loss.

🌐 Internet-Facing: HIGH - Public-facing Node.js applications can be crashed by malicious requests triggering deep recursion, causing service disruption.

🏢 Internal Only: MEDIUM - Internal services may crash from legitimate deep recursion, but attack surface is smaller than internet-facing systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires triggering deep recursion in code paths using vulnerable async features, which can often be done via crafted inputs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v20.19.0, v22.13.0, v24.11.0

Vendor Advisory: https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Restart Required: Yes

Instructions:

1. Check current Node.js version with 'node --version'. 2. Update to patched version using your package manager (npm install -g node@20.19.0, node@22.13.0, or node@24.11.0). 3. Restart all Node.js applications and services.

🔧 Temporary Workarounds

Disable async_hooks.createHook()

all

Remove or disable async_hooks.createHook() usage if not essential for application functionality.

Review code for async_hooks.createHook() calls and remove or conditionally disable them

Limit recursion depth

all

Implement recursion depth limits in application code to prevent deep recursion scenarios.

Implement recursion counters or convert recursive functions to iterative solutions

🧯 If You Can't Patch

Implement process monitoring with automatic restart (e.g., using PM2, systemd, or container orchestration)
Add rate limiting and input validation to prevent malicious recursion triggers

🔍 How to Verify

Check if Vulnerable:

Check if application uses async_hooks.createHook() or AsyncLocalStorage and runs on Node.js v20.x < 20.19.0, v22.x < 22.13.0, or v24.x < 24.11.0.

Check Version:

node --version

Verify Fix Applied:

After updating, verify version with 'node --version' shows 20.19.0+, 22.13.0+, or 24.11.0+. Test previously crashing recursion scenarios.

📡 Detection & Monitoring

Log Indicators:

Process termination without uncaughtException logs
'Maximum call stack size exceeded' errors followed by immediate exit
Abnormal process restarts in monitoring systems

Network Indicators:

Sudden service unavailability
HTTP 5xx errors from previously working endpoints

SIEM Query:

process.name:"node" AND (event.action:"process_exit" OR log.message:"Maximum call stack size exceeded")

📊 Metadata

CVE ID: CVE-2025-59466

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-248

EPSS Score: 0.02% exploit probability (5th percentile)

Published: January 20, 2026

Last Updated: January 30, 2026

🔗 References

https://nodejs.org/en/blog/vulnerability/december-2025-security-releases Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59466, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Node.js by Nodejs

Node.js by Nodejs

Node.js by Nodejs

Node.js by Nodejs

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable async_hooks.createHook()

Limit recursion depth

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities