CVE-2025-59465
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` er
CVSS
7.5
High
EPSS
3.8%
p89
KEV
—
Exploit Today
27
0-100
Published: Jan 20, 2026 · Last modified: Jul 15, 2026 · CWE-400 · CWE-248
3.8%EPSS · 30 days3.8%
2026-06-302026-07-16
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ```
- nodejs.orghttps://nodejs.org/en/blog/vulnerability/december-2025-security-releases
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:1842
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:1843
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:2420
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:2421
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:2422
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:2767
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:2768
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:2781
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:2782
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:2783
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:2864
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:2899
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:6402
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:6431
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7386
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7387
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2025-59465
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2431349
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-59465.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-238647.5 HIG82.9%
——25Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.
The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.
Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.2dCVE-2026-455917.5 HIG82.4%
——25Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.2dCVE-2026-331167.5 HIG80.0%
——24Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a network.2dCVE-2026-465227.5 HIG76.7%
——23ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, due to a missing check in the MIFF decoder, a crafted file could cause an infinite loop resulting in CPU exhaustion. Versions 7.1.2.23 and 6.9.13-48 fix the issue.2dCVE-2026-261717.5 HIG75.4%
——23Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.2dCVE-2026-238697.5 HIG72.3%
——22A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.2d