CVE-2025-59466

High

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when…

hackerone·CWE-248·Published 2026-01-20

CVSS

7.5

EPSS

0.01

KEV

Exploits

cve.orgen

477 chars

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.

NVDen

477 chars

NVDes

538 chars

Hemos identificado un error en el manejo de errores de Node.js donde los errores 'Maximum call stack size exceeded' se vuelven inatrapables cuando `async_hooks.createHook()` está habilitado. En lugar de alcanzar `process.on('uncaughtException')`, el proceso termina, haciendo que el fallo sea irrecuperable. Las aplicaciones que dependen de `AsyncLocalStorage` (v22, v20) o `async_hooks.createHook()` (v24, v22, v20) se vuelven vulnerables a fallos de denegación de servicio provocados por recursión profunda bajo condiciones específicas.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.0	Primary	cve.org	5.9	—	—	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
3.0	Primary	cve.org	5.9	—	—	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
3.0	Secondary	NVD	5.9	2.2	3.6	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
3.1	Primary	NVD	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H