Fluid Attacks Database

Description

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:

server.on('secureConnection', socket => {
  socket.on('error', err => {
    console.log(err)
  })
})

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	nodejs	=12.21.0~dfsg-5 \|\| =12.22.10~dfsg-1 \|\| =12.22.10~dfsg-2 \|\| =12.22.12~dfsg-1~deb11u1 \|\| =12.22.12~dfsg-1~deb11u2 \|\| =12.22.12~dfsg-1~deb11u3 \|\| =12.22.12~dfsg-1~deb11u4 \|\| =12.22.12~dfsg-1~deb11u5 \|\| =12.22.12~dfsg-1~deb11u6 \|\| =12.22.12~dfsg-1~deb11u7 \|\| =12.22.4~dfsg-1 \|\| =12.22.5~dfsg-1 \|\| =12.22.5~dfsg-2 \|\| =12.22.5~dfsg-2~11u1 \|\| =12.22.5~dfsg-3 \|\| =12.22.5~dfsg-4 \|\| =12.22.5~dfsg-5 \|\| =12.22.5~dfsg-6 \|\| =12.22.5~dfsg-7 \|\| =12.22.7~dfsg-1 \|\| =12.22.7~dfsg-2 \|\| =12.22.9~dfsg-1 \|\| >=0 <12.22.12~dfsg-1~deb11u8	12.22.12~dfsg-1~deb11u8
debian 14	nodejs	=20.19.2+dfsg-1 \|\| =20.19.4+dfsg-1 \|\| =20.19.5+dfsg+~cs20.19.12-1 \|\| =20.19.5+dfsg+~cs20.19.12-2 \|\| =20.19.5+dfsg+~cs20.19.12-3 \|\| =20.19.5+dfsg+~cs20.19.12-4 \|\| =20.19.5+dfsg+~cs20.19.24-1 \|\| =22.12.0+dfsg-1 \|\| =22.12.0+dfsg-2 \|\| =22.12.0+dfsg-3 \|\| =22.14.0+dfsg-1 \|\| =22.18.0+dfsg+~cs22.17.2-1 \|\| =22.18.0+dfsg+~cs22.17.2-2 \|\| =22.18.0+dfsg-1 \|\| =22.19.0+dfsg+~cs22.18.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-2 \|\| =22.21.1+dfsg+~cs22.19.0-3 \|\| =22.21.1+dfsg+~cs22.19.0-4 \|\| =22.21.1+dfsg+~cs22.19.0-5 \|\| =22.21.1+dfsg+~cs22.19.0-6 \|\| >=0 <22.22.0+dfsg+~cs22.19.6-1	22.22.0+dfsg+~cs22.19.6-1
alpine v3.22	nodejs	=22.11.0-r0 \|\| =22.11.0-r1 \|\| =22.11.0-r2 \|\| =22.13.1-r0 \|\| =22.13.1-r1 \|\| =22.13.1-r2 \|\| =22.13.1-r3 \|\| =22.13.1-r4 \|\| =22.13.1-r5 \|\| =22.16.0-r0 \|\| =22.16.0-r1 \|\| =22.16.0-r2 \|\| >=0 <22.22.0-r0	22.22.0-r0
debian 13	nodejs	=20.19.2+dfsg-1 \|\| >=0 <20.19.2+dfsg-1+deb13u1	20.19.2+dfsg-1+deb13u1
debian 12	nodejs	=18.13.0+dfsg1-1 \|\| =18.13.0+dfsg1-1.1 \|\| =18.19.0+dfsg-1 \|\| =18.19.0+dfsg-2 \|\| =18.19.0+dfsg-3 \|\| =18.19.0+dfsg-4 \|\| =18.19.0+dfsg-5 \|\| =18.19.0+dfsg-6 \|\| =18.19.0+dfsg-6~deb12u1 \|\| =18.19.0+dfsg-6~deb12u2 \|\| =18.19.1+dfsg-1 \|\| =18.19.1+dfsg-2 \|\| =18.19.1+dfsg-3 \|\| =18.19.1+dfsg-3.1 \|\| =18.19.1+dfsg-4 \|\| =18.19.1+dfsg-6 \|\| =18.20.1+dfsg-1 \|\| =18.20.1+dfsg-2 \|\| =18.20.1+dfsg-3 \|\| =18.20.1+dfsg-4 \|\| =18.20.4+dfsg-1~deb12u1 \|\| >=0 <18.20.4+dfsg-1~deb12u2	18.20.4+dfsg-1~deb12u2
rpm rhel8	nodejs	<1:20.20.0-1.module+el8.10.0+23905+c49b2aec	1:20.20.0-1.module+el8.10.0+23905+c49b2aec
rpm rhel10	nodejs24	<1:24.13.0-1.el10_1	1:24.13.0-1.el10_1
rpm rhel9	nodejs	<1:20.20.0-1.module+el9.7.0+23895+0637d423	1:20.20.0-1.module+el9.7.0+23895+0637d423
rpm rhel9.4	nodejs	<1:20.20.0-1.module+el9.4.0+23992+5dc31998	1:20.20.0-1.module+el9.4.0+23992+5dc31998
rpm rhel9.6	nodejs	<1:20.20.0-1.module+el9.6.0+23988+6b9eae47	1:20.20.0-1.module+el9.6.0+23988+6b9eae47

1-10 of 13

Aliases

1. CVE-2025-594652. NVD-2025-594653. OSV-DEBIAN-2025-594654. OSV-2025-594655. OSV-ALPINE-2025-594656. SECURITY-TRACKER-CVE-2025-594657. SECURITY-CVE-2025-59465

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.