CVE-2025-59465

NONE EPSS 56.1%

Published Jan 20, 20265mo ago · Modified Jun 17, 20261w ago

Published Jan 20, 2026 5mo ago

Last Modified Jun 17, 2026 1w ago

Description

A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ```

Threat Intelligence

EPSS Exploit Probability

56.1% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-400 Uncontrolled Resource Consumption Resource Mgmt

Affected Products 4

Vendor	Product	Version	Range
nodejs	node.js	*	≥20.0.0 – <20.20.0
nodejs	node.js	*	≥22.0.0 – <22.22.0
nodejs	node.js	*	≥24.0.0 – <24.13.0
nodejs	node.js	*	≥25.0.0 – <25.3.0

References 1

nodejs.org https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Release NotesVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.