Fluid Attacks Database

Description

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when async_hooks.createHook() is enabled. Instead of reaching process.on('uncaughtException'), the process terminates, making the crash unrecoverable. Applications that rely on AsyncLocalStorage (v22, v20) or async_hooks.createHook() (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	nodejs	=12.21.0~dfsg-5 \|\| =12.22.10~dfsg-1 \|\| =12.22.10~dfsg-2 \|\| =12.22.12~dfsg-1~deb11u1 \|\| =12.22.12~dfsg-1~deb11u2 \|\| =12.22.12~dfsg-1~deb11u3 \|\| =12.22.12~dfsg-1~deb11u4 \|\| =12.22.12~dfsg-1~deb11u5 \|\| =12.22.12~dfsg-1~deb11u6 \|\| =12.22.12~dfsg-1~deb11u7 \|\| =12.22.4~dfsg-1 \|\| =12.22.5~dfsg-1 \|\| =12.22.5~dfsg-2 \|\| =12.22.5~dfsg-2~11u1 \|\| =12.22.5~dfsg-3 \|\| =12.22.5~dfsg-4 \|\| =12.22.5~dfsg-5 \|\| =12.22.5~dfsg-6 \|\| =12.22.5~dfsg-7 \|\| =12.22.7~dfsg-1 \|\| =12.22.7~dfsg-2 \|\| =12.22.9~dfsg-1 \|\| =14.11.0~dfsg-1 \|\| =14.11.0~dfsg-2 \|\| =14.12.0~dfsg-1 \|\| =14.13.0~dfsg-1 \|\| =14.16.0~dfsg-1 \|\| =14.16.1~dfsg-1 \|\| =14.17.0~dfsg-1 \|\| =14.17.0~dfsg-2 \|\| =14.4.0~dfsg-1 \|\| =14.4.0~dfsg-2 \|\| =14.7.0~dfsg-1 \|\| =14.8.0~dfsg-1 \|\| =14.9.0~dfsg-1 \|\| =16.11.1~dfsg-1 \|\| =16.13.0~dfsg-1 \|\| =16.13.0~dfsg-2 \|\| =16.13.0~dfsg-3 \|\| =16.13.0~dfsg-4 \|\| =16.13.0~dfsg-5 \|\| =16.13.2+really14.19.0~dfsg-1 \|\| =16.13.2+really14.19.0~dfsg-2 \|\| =16.13.2+really14.19.1~dfsg-1 \|\| =16.13.2+really14.19.1~dfsg-2 \|\| =16.13.2+really14.19.1~dfsg-3 \|\| =16.13.2+really14.19.1~dfsg-4 \|\| =16.13.2+really14.19.1~dfsg-5 \|\| =16.13.2+really14.19.1~dfsg-6 \|\| =16.13.2~dfsg-1 \|\| =16.13.2~dfsg-2 \|\| =16.14.2+dfsg-1 \|\| =16.14.2+dfsg-2 \|\| =16.14.2+dfsg-3 \|\| =16.14.2+dfsg-4 \|\| =16.14.2+dfsg-5 \|\| =16.14.2+dfsg1-1 \|\| =16.15.0+dfsg-1 \|\| =16.15.1+dfsg-1 \|\| =18.10.0+dfsg-1 \|\| =18.10.0+dfsg-2 \|\| =18.10.0+dfsg-3 \|\| =18.10.0+dfsg-4 \|\| =18.10.0+dfsg-5 \|\| =18.10.0+dfsg-6 \|\| =18.11.0+dfsg-1 \|\| =18.11.0+dfsg-2 \|\| =18.11.0+dfsg-3 \|\| =18.11.0+dfsg-4 \|\| =18.12.0+dfsg-1 \|\| =18.12.1+dfsg-1 \|\| =18.12.1+dfsg-2 \|\| =18.12.1+dfsg-2+0.riscv64.1 \|\| =18.13.0+dfsg-1 \|\| =18.13.0+dfsg1-1 \|\| =18.13.0+dfsg1-1.1 \|\| =18.19.0+dfsg-1 \|\| =18.19.0+dfsg-2 \|\| =18.19.0+dfsg-3 \|\| =18.19.0+dfsg-4 \|\| =18.19.0+dfsg-5 \|\| =18.19.0+dfsg-6 \|\| =18.19.0+dfsg-6~deb12u1 \|\| =18.19.0+dfsg-6~deb12u2 \|\| =18.19.1+dfsg-1 \|\| =18.19.1+dfsg-2 \|\| =18.19.1+dfsg-3 \|\| =18.19.1+dfsg-3.1 \|\| =18.19.1+dfsg-4 \|\| =18.19.1+dfsg-6 \|\| =18.20.1+dfsg-1 \|\| =18.20.1+dfsg-2 \|\| =18.20.1+dfsg-3 \|\| =18.20.1+dfsg-4 \|\| =18.20.4+dfsg-1~deb12u1 \|\| =18.20.4+dfsg-1~deb12u2 \|\| =18.3.0+dfsg-1 \|\| =18.4.0+dfsg-1 \|\| =18.4.0+dfsg-2 \|\| =18.6.0+dfsg-1 \|\| =18.6.0+dfsg-2 \|\| =18.6.0+dfsg-3 \|\| =18.6.0+dfsg-4 \|\| =18.6.0+dfsg-5 \|\| =18.7.0+dfsg-1 \|\| =18.7.0+dfsg-4 \|\| =18.7.0+dfsg-5 \|\| =18.8.0+dfsg-1 \|\| =20.10.0+dfsg-1 \|\| =20.12.2+dfsg-1 \|\| =20.13.0+dfsg-1 \|\| =20.13.1+dfsg-1 \|\| =20.13.1+dfsg-2 \|\| =20.14.0+dfsg-1 \|\| =20.14.0+dfsg-2 \|\| =20.14.0+dfsg-3 \|\| =20.15.0+dfsg-1 \|\| =20.15.1+dfsg-1 \|\| =20.16.0+dfsg-1 \|\| =20.17.0+dfsg-1 \|\| =20.17.0+dfsg-2 \|\| =20.18.0+dfsg-1 \|\| =20.18.0+dfsg-2 \|\| =20.18.1+dfsg-1 \|\| =20.18.1+dfsg-2 \|\| =20.18.2+dfsg-1 \|\| =20.18.2+dfsg-2 \|\| =20.18.2+dfsg-3 \|\| =20.18.2+dfsg-4 \|\| =20.18.3+dfsg-1 \|\| =20.19.0+dfsg-1 \|\| =20.19.0+dfsg-2 \|\| =20.19.0+dfsg1-1 \|\| =20.19.2+dfsg-1 \|\| =20.19.4+dfsg-1 \|\| =20.19.5+dfsg+~cs20.19.12-1 \|\| =20.19.5+dfsg+~cs20.19.12-2 \|\| =20.19.5+dfsg+~cs20.19.12-3 \|\| =20.19.5+dfsg+~cs20.19.12-4 \|\| =20.19.5+dfsg+~cs20.19.24-1 \|\| =22.12.0+dfsg-1 \|\| =22.12.0+dfsg-2 \|\| =22.12.0+dfsg-3 \|\| =22.14.0+dfsg-1 \|\| =22.18.0+dfsg+~cs22.17.2-1 \|\| =22.18.0+dfsg+~cs22.17.2-2 \|\| =22.18.0+dfsg-1 \|\| =22.19.0+dfsg+~cs22.18.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-2 \|\| =22.21.1+dfsg+~cs22.19.0-3 \|\| =22.21.1+dfsg+~cs22.19.0-4 \|\| =22.21.1+dfsg+~cs22.19.0-5 \|\| =22.21.1+dfsg+~cs22.19.0-6 \|\| =22.22.0+dfsg+~cs22.19.13-1 \|\| =22.22.0+dfsg+~cs22.19.13-2 \|\| =22.22.0+dfsg+~cs22.19.6-1 \|\| =22.22.1+dfsg+~cs22.19.15-1 \|\| =22.22.2+dfsg+~cs22.19.15-1 \|\| =22.22.2+dfsg+~cs22.19.15-3 \|\| =24.11.1+dfsg+~cs24.10.1-1 \|\| =24.11.1+dfsg+~cs24.10.1-2 \|\| =24.12.0+dfsg+~cs24.10.4-1 \|\| =24.13.0+dfsg+~cs24.10.7-1 \|\| =24.13.0+dfsg+~cs24.10.7-2 \|\| =24.14.0+dfsg+~cs24.12.0-1 \|\| =24.14.0+dfsg+~cs24.12.0-2 \|\| =24.14.1+dfsg+~cs24.12.0-1 \|\| =24.15.0+dfsg+~cs24.12.2-1	-
debian 12	nodejs	=18.13.0+dfsg1-1 \|\| =18.13.0+dfsg1-1.1 \|\| =18.19.0+dfsg-1 \|\| =18.19.0+dfsg-2 \|\| =18.19.0+dfsg-3 \|\| =18.19.0+dfsg-4 \|\| =18.19.0+dfsg-5 \|\| =18.19.0+dfsg-6 \|\| =18.19.0+dfsg-6~deb12u1 \|\| =18.19.0+dfsg-6~deb12u2 \|\| =18.19.1+dfsg-1 \|\| =18.19.1+dfsg-2 \|\| =18.19.1+dfsg-3 \|\| =18.19.1+dfsg-3.1 \|\| =18.19.1+dfsg-4 \|\| =18.19.1+dfsg-6 \|\| =18.20.1+dfsg-1 \|\| =18.20.1+dfsg-2 \|\| =18.20.1+dfsg-3 \|\| =18.20.1+dfsg-4 \|\| =18.20.4+dfsg-1~deb12u1 \|\| >=0 <18.20.4+dfsg-1~deb12u2	18.20.4+dfsg-1~deb12u2
debian 14	nodejs	=20.19.2+dfsg-1 \|\| =20.19.4+dfsg-1 \|\| =20.19.5+dfsg+~cs20.19.12-1 \|\| =20.19.5+dfsg+~cs20.19.12-2 \|\| =20.19.5+dfsg+~cs20.19.12-3 \|\| =20.19.5+dfsg+~cs20.19.12-4 \|\| =20.19.5+dfsg+~cs20.19.24-1 \|\| =22.12.0+dfsg-1 \|\| =22.12.0+dfsg-2 \|\| =22.12.0+dfsg-3 \|\| =22.14.0+dfsg-1 \|\| =22.18.0+dfsg+~cs22.17.2-1 \|\| =22.18.0+dfsg+~cs22.17.2-2 \|\| =22.18.0+dfsg-1 \|\| =22.19.0+dfsg+~cs22.18.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-2 \|\| =22.21.1+dfsg+~cs22.19.0-3 \|\| =22.21.1+dfsg+~cs22.19.0-4 \|\| =22.21.1+dfsg+~cs22.19.0-5 \|\| =22.21.1+dfsg+~cs22.19.0-6 \|\| >=0 <22.22.0+dfsg+~cs22.19.6-1	22.22.0+dfsg+~cs22.19.6-1
alpine v3.23	nodejs	=22.11.0-r0 \|\| =22.11.0-r1 \|\| =22.11.0-r2 \|\| =22.13.1-r0 \|\| =22.13.1-r1 \|\| =22.13.1-r2 \|\| =22.13.1-r3 \|\| =22.13.1-r4 \|\| =22.13.1-r5 \|\| =22.16.0-r0 \|\| =22.16.0-r1 \|\| =22.16.0-r2 \|\| =22.16.0-r3 \|\| =22.19.0-r3 \|\| =22.19.0-r4 \|\| =22.21.0-r0 \|\| =24.11.1-r0 \|\| >=0 <24.13.0-r0	24.13.0-r0
alpine v3.22	nodejs	=22.11.0-r0 \|\| =22.11.0-r1 \|\| =22.11.0-r2 \|\| =22.13.1-r0 \|\| =22.13.1-r1 \|\| =22.13.1-r2 \|\| =22.13.1-r3 \|\| =22.13.1-r4 \|\| =22.13.1-r5 \|\| =22.16.0-r0 \|\| =22.16.0-r1 \|\| =22.16.0-r2 \|\| >=0 <22.22.0-r0	22.22.0-r0
debian 13	nodejs	=20.19.2+dfsg-1 \|\| >=0 <20.19.2+dfsg-1+deb13u1	20.19.2+dfsg-1+deb13u1
rpm rhel8	nodejs	<1:20.20.0-1.module+el8.10.0+23905+c49b2aec	1:20.20.0-1.module+el8.10.0+23905+c49b2aec
rpm rhel9	nodejs	<1:20.20.0-1.module+el9.7.0+23895+0637d423	1:20.20.0-1.module+el9.7.0+23895+0637d423
rpm rhel9.6	nodejs	<1:20.20.0-1.module+el9.6.0+23988+6b9eae47	1:20.20.0-1.module+el9.6.0+23988+6b9eae47
rpm rhel9.4	nodejs	<1:20.20.0-1.module+el9.4.0+23992+5dc31998	1:20.20.0-1.module+el9.4.0+23992+5dc31998

1-10 of 14

Aliases

1. CVE-2025-594662. NVD-2025-594663. OSV-DEBIAN-2025-594664. OSV-2025-594665. OSV-ALPINE-2025-594666. SECURITY-TRACKER-CVE-2025-594667. SECURITY-CVE-2025-59466

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.