{"id":"CVE-2025-59466","details":"We have identified a bug in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.","aliases":["BIT-node-2025-59466","BIT-node-min-2025-59466"],"modified":"2026-04-16T00:00:11.269147664Z","published":"2026-01-20T21:16:04.110Z","related":["ALSA-2026:1842","ALSA-2026:1843","ALSA-2026:2420","ALSA-2026:2421","ALSA-2026:2422","ALSA-2026:2781","ALSA-2026:2782","ALSA-2026:2783","CGA-3wxp-gff7-xr5w","SUSE-SU-2026:0295-1","SUSE-SU-2026:0301-1","SUSE-SU-2026:0435-1","SUSE-SU-2026:0457-1","SUSE-SU-2026:20436-1","openSUSE-SU-2026:10062-1","openSUSE-SU-2026:10074-1","openSUSE-SU-2026:20236-1"],"references":[{"type":"ADVISORY","url":"https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nodejs/node","events":[{"introduced":"e7618fb5a5fc25d76b6474e2a6607f04fd6f10e0"},{"fixed":"1f7186e1e01d279022cab6acdecb119e472bb409"},{"introduced":"12fb157f79da8c094a54bc99370994941c28c235"},{"fixed":"6add85e4c46b8be383c8b637102d6b6fd206adce"},{"introduced":"c5349f43cd66d2aa02d86414c9ed426f71d3ae48"},{"fixed":"def0bdf8abee441cfcbf793a8dc24a6f3b899573"},{"introduced":"0b3a10d4c8ba5e15429287e725d22615be896e95"},{"fixed":"00d6cd83927d6d5c8fe9d0cdd101daa6df4b1a15"}],"database_specific":{"versions":[{"introduced":"20.0.0"},{"fixed":"20.20.0"},{"introduced":"22.0.0"},{"fixed":"22.22.0"},{"introduced":"24.0.0"},{"fixed":"24.13.0"},{"introduced":"25.0.0"},{"fixed":"25.3.0"}]}}],"versions":["v20.0.0","v20.1.0","v20.10.0","v20.11.0","v20.11.1","v20.12.0","v20.12.1","v20.12.2","v20.13.0","v20.13.1","v20.14.0","v20.15.0","v20.15.1","v20.16.0","v20.17.0","v20.18.0","v20.18.1","v20.18.2","v20.18.3","v20.19.0","v20.19.1","v20.19.2","v20.19.3","v20.19.4","v20.19.5","v20.19.6","v20.2.0","v20.3.0","v20.3.1","v20.4.0","v20.5.0","v20.5.1","v20.6.0","v20.6.1","v20.7.0","v20.8.0","v20.8.1","v20.9.0","v22.0.0","v22.1.0","v22.10.0","v22.11.0","v22.12.0","v22.13.0","v22.13.1","v22.14.0","v22.15.0","v22.15.1","v22.16.0","v22.17.0","v22.17.1","v22.18.0","v22.19.0","v22.2.0","v22.20.0","v22.21.0","v22.21.1","v22.3.0","v22.4.0","v22.4.1","v22.5.0","v22.5.1","v22.6.0","v22.7.0","v22.8.0","v22.9.0","v24.0.0","v24.0.1","v24.0.2","v24.1.0","v24.10.0","v24.11.0","v24.11.1","v24.12.0","v24.2.0","v24.3.0","v24.4.0","v24.4.1","v24.5.0","v24.6.0","v24.7.0","v24.8.0","v24.9.0","v25.0.0","v25.1.0","v25.2.0","v25.2.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-59466.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}