CVE-2025-59465
BaseFortify
Publication date: 2026-01-20
Last updated on: 2026-01-30
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nodejs | node.js | From 20.0.0 (inc) to 20.20.0 (exc) |
| nodejs | node.js | From 22.0.0 (inc) to 22.22.0 (exc) |
| nodejs | node.js | From 24.0.0 (inc) to 24.13.0 (exc) |
| nodejs | node.js | From 25.0.0 (inc) to 25.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs when a malformed HTTP/2 HEADERS frame containing oversized or invalid HPACK data causes Node.js to crash. The crash happens because an unhandled TLSSocket error (ECONNRESET) is triggered, and instead of safely closing the connection, the Node.js process terminates unexpectedly. This mainly affects applications that do not have explicit error handlers attached to secure sockets.
How can this vulnerability impact me? :
The vulnerability can lead to a remote denial of service (DoS) attack by causing the Node.js process to crash unexpectedly. This can disrupt the availability of applications or services running on Node.js that are exposed to malicious HTTP/2 traffic without proper error handling on secure sockets.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that your Node.js applications attach explicit error handlers to secure sockets to prevent the process from crashing due to unhandled TLSSocket errors. For example, add an error event listener on the secureConnection event as follows: server.on('secureConnection', socket => { socket.on('error', err => { console.log(err); }); });