CVE-2025-59465

Name
CVE-2025-59465
Description
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ```
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
support@hackerone.com https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Match rules

CPE URI Source package Min version Max version
node >= 0 <= 20.19.6
node >= 0 <= 22.21.1
node >= 0 <= 24.12.0
node >= 0 <= 25.2.1
node >= 4.0 < 4.*
node >= 5.0 < 5.*
node >= 6.0 < 6.*
node >= 7.0 < 7.*
node >= 8.0 < 8.*
node >= 9.0 < 9.*
node >= 10.0 < 10.*
node >= 11.0 < 11.*
node >= 12.0 < 12.*
node >= 13.0 < 13.*
node >= 14.0 < 14.*
node >= 15.0 < 15.*
node >= 16.0 < 16.*
node >= 17.0 < 17.*
node >= 18.0 < 18.*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 20.0.0 < 20.20.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 22.0.0 < 22.22.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 24.0.0 < 24.13.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 25.0.0 < 25.3.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nodejs edge-main 24.11.1-r2 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 24.11.1-r1 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 24.11.1-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 22.21.0-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 22.19.0-r4 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 22.19.0-r3 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 22.16.0-r3 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 22.16.0-r2 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 22.16.0-r1 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 22.16.0-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 22.13.1-r5 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 22.13.1-r4 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 22.13.1-r3 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 22.13.1-r2 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 22.13.1-r1 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 22.13.1-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 22.11.0-r2 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 22.11.0-r1 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 22.11.0-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 20.15.1-r1 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 20.15.1-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 20.13.1-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 20.12.2-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 20.12.1-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 20.12.0-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 20.11.1-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 20.11.0-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 20.10.0-r1 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 20.10.0-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs edge-main 20.9.0-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs 3.23-main 24.11.1-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs 3.22-main 22.22.0-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
nodejs 3.22-main 22.16.0-r2 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs 3.22-main 22.13.1-r0 None possibly vulnerable
nodejs 3.22-main 20.15.1-r0 None possibly vulnerable
nodejs 3.22-main 20.12.1-r0 None possibly vulnerable
nodejs 3.21-main 22.15.1-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs 3.21-main 22.13.1-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs 3.21-main 22.11.0-r1 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs 3.21-main 22.11.0-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs 3.21-main 20.15.1-r0 None possibly vulnerable
nodejs 3.21-main 20.12.1-r0 None possibly vulnerable
nodejs 3.20-main 20.15.1-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs 3.20-main 20.13.1-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs 3.20-main 20.12.1-r0 None possibly vulnerable
nodejs 3.19-main 20.15.1-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs 3.19-main 20.12.1-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs 3.19-main 20.11.1-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs 3.19-main 20.11.0-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs 3.19-main 20.10.0-r1 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs 3.19-main 20.10.0-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable