We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Tue, 20 Jan 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions. | |
| References |
| |
| Metrics |
cvssV3_0
|
Projects
Sign in to view the affected projects.
MITRE
Status: PUBLISHED
Assigner: hackerone
Published:
Updated: 2026-01-20T20:41:55.628Z
Reserved: 2025-09-16T15:00:07.876Z
Link: CVE-2025-59466
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-01-20T21:16:04.110
Modified: 2026-01-20T21:16:04.110
Link: CVE-2025-59466
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses
No weakness.