CVE-2025-59466

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when async_hooks.createHook() is enabled. Instead of reaching process.on('uncaughtException'), the process terminates, making the crash unrecoverable. Applications that rely on AsyncLocalStorage (v22, v20) or async_hooks.createHook() (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.

References

https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type

GIT

Repo

https://github.com/nodejs/node

Events

Introduced

e7618fb5a5fc25d76b6474e2a6607f04fd6f10e0

Fixed

1f7186e1e01d279022cab6acdecb119e472bb409

Introduced

12fb157f79da8c094a54bc99370994941c28c235

Fixed

6add85e4c46b8be383c8b637102d6b6fd206adce

Introduced

c5349f43cd66d2aa02d86414c9ed426f71d3ae48

Fixed

def0bdf8abee441cfcbf793a8dc24a6f3b899573

Introduced

0b3a10d4c8ba5e15429287e725d22615be896e95

Fixed

00d6cd83927d6d5c8fe9d0cdd101daa6df4b1a15

Database specific

{
    "versions": [
        {
            "introduced": "20.0.0"
        },
        {
            "fixed": "20.20.0"
        },
        {
            "introduced": "22.0.0"
        },
        {
            "fixed": "22.22.0"
        },
        {
            "introduced": "24.0.0"
        },
        {
            "fixed": "24.13.0"
        },
        {
            "introduced": "25.0.0"
        },
        {
            "fixed": "25.3.0"
        }
    ]
}

Affected versions

v20.*

v20.0.0

v20.1.0

v20.10.0

v20.11.0

v20.11.1

v20.12.0

v20.12.1

v20.12.2

v20.13.0

v20.13.1

v20.14.0

v20.15.0

v20.15.1

v20.16.0

v20.17.0

v20.18.0

v20.18.1

v20.18.2

v20.18.3

v20.19.0

v20.19.1

v20.19.2

v20.19.3

v20.19.4

v20.19.5

v20.19.6

v20.2.0

v20.3.0

v20.3.1

v20.4.0

v20.5.0

v20.5.1

v20.6.0

v20.6.1

v20.7.0

v20.8.0

v20.8.1

v20.9.0

v22.*

v22.0.0

v22.1.0

v22.10.0

v22.11.0

v22.12.0

v22.13.0

v22.13.1

v22.14.0

v22.15.0

v22.15.1

v22.16.0

v22.17.0

v22.17.1

v22.18.0

v22.19.0

v22.2.0

v22.20.0

v22.21.0

v22.21.1

v22.3.0

v22.4.0

v22.4.1

v22.5.0

v22.5.1

v22.6.0

v22.7.0

v22.8.0

v22.9.0

v24.*

v24.0.0

v24.0.1

v24.0.2

v24.1.0

v24.10.0

v24.11.0

v24.11.1

v24.12.0

v24.2.0

v24.3.0

v24.4.0

v24.4.1

v24.5.0

v24.6.0

v24.7.0

v24.8.0

v24.9.0

v25.*

v25.0.0

v25.1.0

v25.2.0

v25.2.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-59466.json"