CVE-2025-59466

Description

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.

How to fix CVE-2025-59466

To remediate CVE-2025-59466, upgrade the affected package to a fixed version below.

• —upgrade to 22.22.2-r0 or later
• —upgrade to 20.20.0 or later
• —upgrade to 20.20.0 or later
• —no fix listed

Is CVE-2025-59466 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 22.22.2-r0
• from 0, < 20.20.0, >= 21.0.0, < 22.22.0, >= 23.0.0, < 24.13.0, >= 25.0.0, < 25.3.0
• from 0, < 20.20.0, >= 21.0.0, < 22.22.0, >= 23.0.0, < 24.13.0, >= 25.0.0, < 25.3.0
• from 0

CVSS scores

References (4)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2025-59466
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-59466
• WEBnodejs.org/en/blog/vulnerability/december-2025-security-releases
• WEBnvd.nist.gov/vuln/detail/CVE-2025-59466