Node.js security update for CVE-2025-59466 and related flaws
Security Patch Release
Summary
Hide ▲
Show ▼
Node.js released security updates for a critical async_hooks stack-overflow bug that could trigger DoS in production apps. The fix ships in Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0, while older 8.x to 18.x branches remain EoL and unpatched. The release also covers CVE-2025-59466 and three other high-severity flaws in the Node.js security bundle.
Related Happenings
F5 security patch release for CVE-2026-42530
Security Patch Release
H score39
First: 18.06.2026 20:32
Last: 18.06.2026 20:32
Sources 1
About this happening:
**F5** released security updates for **NGINX Open Source** after finding **two critical vulnerabilities** that could lead to **remote code execution** on affected systems. The pat...
F5 security patch release for CVE-2026-42530
Security Patch ReleaseAbout this happening: **F5** released security updates for **NGINX Open Source** after finding **two critical vulnerabilities** that could lead to **remote code execution** on affected systems. The pat...
Protobuf.js / protobufjs-cli Proto6 security patches (multiple vulnerabilities)
Security Patch Release
H score29
First: 10.06.2026 08:08
Last: 10.06.2026 08:08
Sources 1
About this happening:
**protobuf.js** and **protobufjs-cli** now have fixed releases for **Proto6**, reducing the risk of **RCE** and **DoS** in affected **Node.js** environments. The patch release cov...
Protobuf.js / protobufjs-cli Proto6 security patches (multiple vulnerabilities)
Security Patch ReleaseAbout this happening: **protobuf.js** and **protobufjs-cli** now have fixed releases for **Proto6**, reducing the risk of **RCE** and **DoS** in affected **Node.js** environments. The patch release cov...
Nginx security patch release for CVE-2026-49975
Security Patch Release
H score42
First: 03.06.2026 22:08
Last: 03.06.2026 22:08
Sources 1
About this happening:
Vendors released fixes for the **HTTP/2 Bomb** DoS issue, closing a path that could let a **single client** exhaust server memory within seconds. The patch set covers **nginx 1.29...
Nginx security patch release for CVE-2026-49975
Security Patch ReleaseAbout this happening: Vendors released fixes for the **HTTP/2 Bomb** DoS issue, closing a path that could let a **single client** exhaust server memory within seconds. The patch set covers **nginx 1.29...
F5 security patch release for CVE-2026-42945
Security Patch Release
H score25
First: 14.05.2026 09:00
Last: 14.05.2026 09:00
Sources 1
About this happening:
F5 released **security fixes** for **NGINX Plus** and **NGINX Open Source** after disclosing **multiple vulnerabilities**, including **CVE-2026-42945**. The patch release covers i...
F5 security patch release for CVE-2026-42945
Security Patch ReleaseAbout this happening: F5 released **security fixes** for **NGINX Plus** and **NGINX Open Source** after disclosing **multiple vulnerabilities**, including **CVE-2026-42945**. The patch release covers i...
Latest development: 17.05.2026 14:57
VulnCheck reported active exploitation of CVE-2026-42945 against NGINX Plus and NGINX Open, saying honeypot networks saw weaponized crafted HTTP requests that can crash worker processes and, when ASLR is disabled, enable remote code execution.
GitHub CVE-2026-3854 security patch release
Security Patch Release
H score34
First: 29.04.2026 15:41
Last: 29.04.2026 15:41
Sources 1
About this happening:
**GitHub** released **security fixes** for **CVE-2026-3854**, patching **GitHub.com** and supported **GitHub Enterprise Server** builds after a critical **remote code execution**...
GitHub CVE-2026-3854 security patch release
Security Patch ReleaseAbout this happening: **GitHub** released **security fixes** for **CVE-2026-3854**, patching **GitHub.com** and supported **GitHub Enterprise Server** builds after a critical **remote code execution**...
Timeline
-
14.01.2026 09:05 2 articles · 5mo ago
Node.js releases fixes for CVE-2025-59466
Mitigation Patch UpdateNode.js released security updates for a critical async_hooks stack overflow issue that could make Node.js exit with code 7 instead of throwing a catchable error, creating a denial-of-service risk for production applications that rely on AsyncLocalStorage and async_hooks. The fixes were shipped in Node.js 20.20.0 (LTS), Node.js 22.22.0 (LTS), Node.js 24.13.0 (LTS), and Node.js 25.3.0 (Current), with the flaw tracked as CVE-2025-59466 (CVSS score: 7.5).
Show sources
- Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow — thehackernews.com — 14.01.2026 09:05
- Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow — thehackernews.com — 14.01.2026 09:05