CVE-2025-59465
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
NOTE: PLEASE REMOVE THIS SECTION BEFORE PUBLISHING THIS DOC. Severity: high; Category: Remote Code Execution; Found by HeroDevs: No.
A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to...
CVE-2025-59465 is a vulnerability in Node.js that arises from a malformed HTTP/2 HEADERS frame containing oversized and invalid HPACK data. This issue can lead to a crash of the Node.js process by triggering an unhandled TLSSocket error known as ECONNRESET. Instead of properly closing the connection, the process crashes, which can be exploited to cause a remote denial of service. Applications that do not implement explicit error handlers for secure sockets are particularly at risk. For example, developers should attach error handlers to the secure connection like this:
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err)
})
})
This vulnerability affects specific versions of Node.js, particularly those between 20.0.0 and 20.20.0, 22.0.0 and 22.22.0, 24.0.0 and 24.13.0, and 25.0.0 and 25.3.0. It is classified with a high severity score of 7.5, indicating a significant risk to availability. Developers should review their applications and ensure they handle errors properly to mitigate this risk. For more details, refer to the Node.js security release notes.
Overview
Node.js is a popular open-source, cross-platform runtime environment that allows developers to execute JavaScript code server-side. It is widely used for building scalable network applications due to its non-blocking, event-driven architecture. This flexibility makes Node.js a preferred choice for modern web applications.
A vulnerability identified as CVE-2025-59465 has been discovered in Node.js, specifically related to malformed HTTP/2 HEADERS frames containing oversized and invalid HPACK data. This issue can lead to the crashing of Node.js by triggering an unhandled TLSSocket error known as ECONNRESET. Consequently, this vulnerability poses a risk of remote denial of service, particularly affecting applications that lack explicit error handlers for secure sockets.
The vulnerability impacts various versions of Node.js, specifically those between 20.0.0 and 20.20.0, 22.0.0 and 22.22.0, 24.0.0 and 24.13.0, and 25.0.0 and 25.3.0. Developers are encouraged to implement error handling for secure connections to mitigate the risk of crashing the application. More details regarding this vulnerability can be found in the Node.js security release notes.
According to CWE-400, this vulnerability falls under the category of "Uncontrolled Resource Consumption." It occurs when an application does not properly manage the resources it consumes, leading to potential denial of service. In this case, the malformed HTTP/2 HEADERS frame causes excessive resource usage, resulting in application crashes.
Details
Module Info
- Product: Node.js
- Affected packages: nodejs/node
- Affected versions: v20 - v22 - v24 - v25
- GitHub repository: https://github.com/nodejs/node
- Published packages: https://central.sonatype.com/artifact//
- Package manager: Maven
- Fixed In: Node.js NES vv12.22.15 - v14.21.9 - v16.20.9 - v18.20.14
Vulnerability Info
CVE-2025-59465 is a vulnerability in Node.js that arises from a malformed HTTP/2 HEADERS frame containing oversized and invalid HPACK data. This issue can lead to a crash of the Node.js process by triggering an unhandled TLSSocket error known as ECONNRESET. Instead of properly closing the connection, the process crashes, which can be exploited to cause a remote denial of service. Applications that do not implement explicit error handlers for secure sockets are particularly at risk. For example, developers should attach error handlers to the secure connection like this:
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err)
})
})
This vulnerability affects specific versions of Node.js, particularly those between 20.0.0 and 20.20.0, 22.0.0 and 22.22.0, 24.0.0 and 24.13.0, and 25.0.0 and 25.3.0. It is classified with a high severity score of 7.5, indicating a significant risk to availability. Developers should review their applications and ensure they handle errors properly to mitigate this risk. For more details, refer to the Node.js security release notes.
Mitigation
This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err);
});
});
