Find notable cyber news and cases, enriched with sources, timelines, and signals.

Node.js security update for CVE-2025-59466 and related flaws

Security Patch Release
First reported
Last updated
Happening score
H score 26
1 unique sources, 1 articles

Summary

Hide ▲

Node.js released security updates for a critical async_hooks stack-overflow bug that could trigger DoS in production apps. The fix ships in Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0, while older 8.x to 18.x branches remain EoL and unpatched. The release also covers CVE-2025-59466 and three other high-severity flaws in the Node.js security bundle.

Related Happenings

F5 security patch release for CVE-2026-42530

Security Patch Release
H score39 First: 18.06.2026 20:32 Last: 18.06.2026 20:32 Sources 1

About this happening: **F5** released security updates for **NGINX Open Source** after finding **two critical vulnerabilities** that could lead to **remote code execution** on affected systems. The pat...

Protobuf.js / protobufjs-cli Proto6 security patches (multiple vulnerabilities)

Security Patch Release
H score29 First: 10.06.2026 08:08 Last: 10.06.2026 08:08 Sources 1

About this happening: **protobuf.js** and **protobufjs-cli** now have fixed releases for **Proto6**, reducing the risk of **RCE** and **DoS** in affected **Node.js** environments. The patch release cov...

Nginx security patch release for CVE-2026-49975

Security Patch Release
H score42 First: 03.06.2026 22:08 Last: 03.06.2026 22:08 Sources 1

About this happening: Vendors released fixes for the **HTTP/2 Bomb** DoS issue, closing a path that could let a **single client** exhaust server memory within seconds. The patch set covers **nginx 1.29...

F5 security patch release for CVE-2026-42945

Security Patch Release
H score25 First: 14.05.2026 09:00 Last: 14.05.2026 09:00 Sources 1

About this happening: F5 released **security fixes** for **NGINX Plus** and **NGINX Open Source** after disclosing **multiple vulnerabilities**, including **CVE-2026-42945**. The patch release covers i...

Latest development: 17.05.2026 14:57

VulnCheck reported active exploitation of CVE-2026-42945 against NGINX Plus and NGINX Open, saying honeypot networks saw weaponized crafted HTTP requests that can crash worker processes and, when ASLR is disabled, enable remote code execution.

GitHub CVE-2026-3854 security patch release

Security Patch Release
H score34 First: 29.04.2026 15:41 Last: 29.04.2026 15:41 Sources 1

About this happening: **GitHub** released **security fixes** for **CVE-2026-3854**, patching **GitHub.com** and supported **GitHub Enterprise Server** builds after a critical **remote code execution**...

Timeline

  1. 14.01.2026 09:05 2 articles · 5mo ago

    Node.js releases fixes for CVE-2025-59466

    Mitigation Patch Update

    Node.js released security updates for a critical async_hooks stack overflow issue that could make Node.js exit with code 7 instead of throwing a catchable error, creating a denial-of-service risk for production applications that rely on AsyncLocalStorage and async_hooks. The fixes were shipped in Node.js 20.20.0 (LTS), Node.js 22.22.0 (LTS), Node.js 24.13.0 (LTS), and Node.js 25.3.0 (Current), with the flaw tracked as CVE-2025-59466 (CVSS score: 7.5).

    Show sources