{ "threat_severity" : "Moderate", "public_date" : "2026-01-20T20:41:55Z", "bugzilla" : { "description" : "nodejs: Nodejs denial of service", "id" : "2431343", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2431343" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-770", "details" : [ "We have identified a bug in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.", "A stack overflow flaw has been discovered in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions." ], "statement" : "This flaw requires that the experimental Async hook feature is enabled for use in NodeJS. This feature is not enabled by default on Red Hat systems.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-02-05T00:00:00Z", "advisory" : "RHSA-2026:1842", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "nodejs24-1:24.13.0-1.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-02-05T00:00:00Z", "advisory" : "RHSA-2026:1843", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "nodejs22-1:22.22.0-3.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-02-18T00:00:00Z", "advisory" : "RHSA-2026:2899", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "nodejs22-1:22.22.0-1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-10T00:00:00Z", "advisory" : "RHSA-2026:2420", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:24-8100020260116121421.6d880403" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-10T00:00:00Z", "advisory" : "RHSA-2026:2421", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:22-8100020260119091831.6d880403" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-10T00:00:00Z", "advisory" : "RHSA-2026:2422", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:20-8100020260119100525.489197e6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-17T00:00:00Z", "advisory" : "RHSA-2026:2781", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nodejs:24-9070020260117213814.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-17T00:00:00Z", "advisory" : "RHSA-2026:2782", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nodejs:22-9070020260117213838.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-17T00:00:00Z", "advisory" : "RHSA-2026:2783", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nodejs:20-9070020260117213748.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-02-17T00:00:00Z", "advisory" : "RHSA-2026:2768", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "nodejs:20-9040020260211171433.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-02-17T00:00:00Z", "advisory" : "RHSA-2026:2767", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "nodejs:20-9060020260210180816.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-02-18T00:00:00Z", "advisory" : "RHSA-2026:2864", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "nodejs:22-9060020260210120402.rhel9" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-01T00:00:00Z", "advisory" : "RHSA-2026:6402", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "nodejs24-main-24.14.1-4.hum1" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6431", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "nodejs25-main-25.9.0-1.hum1" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-10T00:00:00Z", "advisory" : "RHSA-2026:7386", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "nodejs20-main-20.20.0-7.1.hum1" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-10T00:00:00Z", "advisory" : "RHSA-2026:7387", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "nodejs22-main-22.22.0-1.3.hum1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-59466\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-59466\nhttps://nodejs.org/en/blog/vulnerability/december-2025-security-releases" ], "name" : "CVE-2025-59466", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }