AIKIDO-2026-10031
node is vulnerable to Denial of Service (DoS)
50
Medium Risk
This Affects:
nodeTL;DR
Affected versions of the package are vulnerable to a crash due to improper error handling when async_hooks.createHook() is enabled. Under specific conditions involving deep recursion, a “Maximum call stack size exceeded” error becomes uncatchable and bypasses process.on('uncaughtException'), causing the Node.js process to terminate unexpectedly. Applications using AsyncLocalStorage or async_hooks.createHook() can therefore be forced into an unrecoverable denial-of-service condition.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
node is vulnerable to Denial of Service (DoS) in versions 25.0.0 - 25.2.0, 23.0.0 - 24.12.0, 21.0.0 - 22.21.1 and 0.0.1 - 20.19.6.
How to fix this
Upgrade the node library to a patch version.
Links
nodejs.org/en/blog/vulnerability/december-2025-security-releases#uncatchable-maximum-call-stack-size-exceeded-error-on-nodejs-via-async_hooks-leads-to-process-crashes-bypassing-error-handlers-cve-2025-59466---mediumnodejs.org/en/blog/vulnerability/december-2025-security-releases
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant