A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ```
Conclusion & alert: CVE-2025-59465 is rated Low Risk (36.9/100): CVSS High severity, with low exploitation likelihood (EPSS 0.06%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-01-26 | 0.05% | 0.06% | +0.02% |
| 2 | 2026-01-21 | — | 0.05% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.0 | HIGH |
|
3.9 | 3.6 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2025-59465: 1 source package rows (nodejs); 52 state rows across 6 repos (3.19-main, 3.20-main, 3.21-main, 3.22-main, 3.23-main, edge-main); fixed 2, open 50. | https://security.alpinelinux.org/vuln/CVE-2025-59465 |
debian
|
not yet assigned | CVE-2025-59465 not yet assigned priority: Debian including 1 source packages (nodejs), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2025-59465 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2025-59465 |
suse
|
high | CVE-2025-59465 severity important: SUSE including 83 source package names (2.1.3-6.15:qemu-guest-agent-8.2.9-1.1, corepack20-20.20.0-150600.3.15.1, …), 233 product×package rows across 38 product lines (Container suse/sl-micro/6.0/kvm-os-container, Image SL-Micro, … (38 product lines)): Fixed 149, Known Not Affected 79, First Fixed 5. | https://www.suse.com/security/cve/CVE-2025-59465/ |
ubuntu
|
medium | CVE-2025-59465 medium priority: Ubuntu including 1 source packages (nodejs), 9 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): needs-triage 7, ignored 1, released 1. | https://ubuntu.com/security/CVE-2025-59465 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| nodejs | node.js | >= 20.0.0, < 20.20.0 | cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* |
| nodejs | node.js | >= 22.0.0, < 22.22.0 | cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* |
| nodejs | node.js | >= 24.0.0, < 24.13.0 | cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* |
| nodejs | node.js | >= 25.0.0, < 25.3.0 | cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* |
| URL | Tags |
|---|---|
| https://nodejs.org/en/blog/vulnerability/december-2025-security-releases | Release Notes Vendor Advisory |