Critical vulnerabilities in HTTP/2, AsyncLocalStorage, and permissions model
"Node.js framework illustration featuring iconic hexagon logo with circuit board connections, representing server-side JavaScript architecture and backend development security"
Photo by Perplexity Labs
Feel free to send us a message with your thoughts, or learn more about us!
On January 13, 2026, the Node.js project released security patches addressing:
Important context: Three CVEs (CVE-2025-55130, CVE-2026-21636, CVE-2025-55132) only affect users of Node.js’s experimental permission model (--experimental-permission or --permission flags).
This feature, introduced in Node.js v201, has limited production adoption. Most Node.js deployments do NOT use the permissions model.
Quick check: If you don’t explicitly pass --permission, --allow-fs-read, --allow-fs-write, or --allow-net flags when starting Node.js, these three CVEs don’t apply to your deployment.
If you do use the permissions model: These are critical bypasses that break your security boundaries. Upgrade immediately.
Patched Versions:
| Release Line | Patched Version | Release Notes |
|---|---|---|
| v25.x (Current) | 25.3.0 | Release Notes |
| v24.x (LTS) | 24.13.0 | Release Notes |
| v22.x (LTS) | 22.22.0 | Release Notes |
| v20.x (Maintenance LTS) |
Dependency Updates Included:
read_answers()) and multiple moderate severity DNS parsing issuesThese dependency patches are automatically included in the Node.js security releases.
| CVE | Severity | v20.x | v22.x | v24.x | v25.x | Notes |
|---|---|---|---|---|---|---|
| CVE-2025-55131 | High | Yes | Yes | Yes | Yes | Buffer memory leak |
| CVE-2025-55130 | High | Yes | Yes | Yes | Yes | Permissions model only |
| CVE-2025-59465 | High | Yes | Yes | Yes |
| Your Situation | Action Required | Risk Level |
|---|---|---|
| Running Node.js v20-v23 + any framework | Upgrade immediately to v20.20.0 / v22.22.0 | HIGH |
| Running Node.js v24.x + Next.js/React | Upgrade to v24.13.0 (lower CVE-2025-59466 risk) | MEDIUM |
| Running Node.js v25.x | Upgrade immediately to v25.3.0 | HIGH (v25-specific CVE) |
Using --permission flags | Upgrade urgently (3 bypasses) | CRITICAL |
| Running self-hosted HTTP/2 servers | Review error handlers + upgrade | HIGH |
| Using APM tools (all versions) |
All users should upgrade regardless, but this helps you understand your specific risk exposure.
Node.js released critical security patches affecting all production deployments. Your engineering teams need to upgrade immediately to prevent server crashes and data leaks. Budget emergency patching cycles for January 2026 Node.js updates.
You are affected if:
AsyncLocalStorage internally)cookies(), headers(), or other Next.js request context APIsCritical CVEs for you:
Recommended Action:
# Check your Node.js version
node --version
# Upgrade to patched version
nvm install 24.13.0 # or 22.22.0, 20.20.0
# Create version pinning file
echo "24.13.0" > .nvmrcAdditional Mitigation:
Validate input depth in API routes to prevent stack overflow:
const MAX_DEPTH = 10;
function validateDepth(obj: unknown, depth = 0): boolean {
if (depth > MAX_DEPTH) return false;
if (typeof obj !== 'object' || obj === null) return true;
return Object.
Upgrade Node.js to v20.20.0, v22.22.0, v24.13.0, or v25.3.0 immediately. If using Next.js 13+ with App Router, add depth validation to API routes processing user input to prevent CVE-2025-59466 exploitation.
You are affected if:
require('dd-trace'), require('newrelic'), or similar APM initializationWhy APM makes CVE-2025-59466 worse:
APM tools use async_hooks.createHook() to trace requests across async boundaries. The moment you import an APM package, your application has async_hooks enabled, making stack overflow errors uncatchable.
The irony: The tools you install to monitor crashes can make a category of crashes behave differently.
Recommended Action:
You are affected if:
--experimental-permission or --permission flags--allow-fs-read, --allow-fs-write, or --allow-net flagsCritical CVEs for you:
Recommended Action:
Upgrade immediately. The permissions model’s security guarantees are broken until patched.
You are affected if:
Critical CVEs for you:
Recommended Action:
# Install the patched version for your release line
nvm install 24.13.0 # LTS (recommended)
nvm install 22.22.0 # Previous LTS
nvm install 20.20.0 # Maintenance LTS
nvm install 25.3.0 # Current
# Verify installation
node --version
# v24.13.0
# Set as default
nvm alias default 24.13.0
# Create version pinning file for your project
echo "24.13.0" > .nvmrc
echo "24.13.0" > .node-version # For other version managersbrew update
brew upgrade node
node --version# Check Node.js version
node --version
# Should show: v20.20.0, v22.22.0, v24.13.0, or v25.3.0
# Verify npm is functional
npm --version
# Run your test suite
npm testUpdate your GitHub Actions workflows to use version pinning:
# .github/workflows/ci.yml
- uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc' # Use version from .nvmrc fileMonitor for buffer memory leaks (CVE-2025-55131), AsyncLocalStorage crashes in Next.js apps (CVE-2025-59466), and HTTP/2 DoS patterns (CVE-2025-59465). If using --permission flags, review symlink bypasses and UDS access controls immediately.
Affected Versions: 20.x, 22.x, 24.x, 25.x
Reporter: Nikita Skovoroda
A flaw in Node.js buffer allocation logic can expose uninitialized memory when allocations are interrupted while using the vm module with the timeout option. Under specific timing conditions, buffers allocated with Buffer.alloc() and instances like Uint8Array may contain leftover data from previous operations.
Impact:
This vulnerability allows in-process secrets like tokens, passwords, or API keys to leak, potentially causing data corruption. While exploitation typically requires precise timing or in-process code execution, it becomes remotely exploitable when untrusted input influences workload and timeouts.
Example Risk Scenario:
import { runInNewContext } from 'vm';
// Previous operation stored sensitive data
const sensitiveBuffer = Buffer.alloc(1024);
sensitiveBuffer.write('SECRET_API_KEY_xyz123');
// Later, with vm timeout, race condition can occur
const result = runInNewContext('Buffer.alloc(1024)', {}, { timeout: 100 });
// result may contain: "SECRET_API_KEY_xyz123" from previous operationMitigation: Upgrade to patched versions. Avoid using vm module with untrusted input and timeout options in security-sensitive contexts.
Affected Versions: 20.x, 22.x, 24.x, 25.x (permissions model users)
Reporter: natann
Fix By: RafaelGSS
A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files.
Impact:
This breaks the expected isolation guarantees and enables arbitrary file read/write, potentially leading to system compromise.
Attack Pattern:
# Application started with restricted permissions
node --experimental-permission --allow-fs-read=/app/data ./app.js
# Attacker creates symlink chain to escape /app/data
# symlink: /app/data/escape -> ../../../etc/passwd
# Script can now read /etc/passwd despite restrictionsWho Is Affected:
Only users of the Node.js permission model (--experimental-permission or --permission flags) are affected. If you’re not using these flags, this CVE does not apply to your deployments.
Mitigation: Upgrade to patched versions. Review symlink handling in permission-restricted environments.
Affected Versions: 20.x, 22.x, 24.x, 25.x
Reporter: dantt
Fix By: RafaelGSS
A malformed HEADERS frame with oversized, invalid data can cause Node.js to crash by triggering an unhandled TLSSocket error (ECONNRESET). Instead of safely closing the connection, the process crashes, enabling remote denial of service.
Impact:
This vulnerability primarily affects applications that do not attach explicit error handlers to secure sockets. A remote attacker can crash your entire Node.js process with a single malformed request.
Vulnerable Pattern:
// Default HTTP/2 server - NO explicit error handlers
import { createSecureServer } from 'http2';
const server = createSecureServer({
key: privateKey,
cert: certificate,
});
server.on('stream', (stream, headers) => {
// Handle request
});
server.listen(443);
// Attacker sends malformed HEADERS frame -> Process crashesRecommended Mitigation:
// Add explicit error handlers to prevent crashes
server.on('secureConnection', (socket) => {
socket.on('error', (err) => {
console.error(
'<GlossaryTooltip term="TLS Socket Error" definition="TLS Socket Error - errors occurring during secure socket communication, commonly including connection resets, handshake failures, and protocol violations that can crash servers if unhandled">TLS Socket Error</GlossaryTooltip>:',
err.message
);
// Gracefully close instead of crashing
socket.destroy();
});
});Who Is Affected:
Any Node.js application using HTTP/2 without explicit TLS socket error handlers. This includes many Next.js, Fastify, and custom HTTP/2 deployments.
Affected Versions: 20.x, 22.x, 24.x, 25.x
Reporter: Andrew MacPherson (AndrewMohawk), aaron_vercel
Fix By: mcollina
A bug in Node.js error handling causes “Maximum call stack size exceeded” errors to become uncatchable when async_hooks.createHook() is enabled. Instead of reaching process.on('uncaughtException'), the process terminates immediately, making the crash unrecoverable.
Why This Matters:
This vulnerability silently affects a massive portion of the Node.js ecosystem because:
async_hooks.createHook() to trace requestsApplications whose recursion depth is controlled by unsanitized input become vulnerable to denial-of-service attacks.
Example Vulnerable Pattern:
// API route processing deeply nested user input
export async function POST(request: Request) {
const data = await request.json();
// If data is deeply nested (1000+ levels), stack overflow occurs
// With AsyncLocalStorage active, error bypasses all handlers
// Process crashes immediately - no logging, no recovery
const result = processNestedData(data);
return Response.json(result);
}Important Caveat:
The Node.js patch improves recoverability in one edge case, but the documentation explicitly states:
“Recovery from space exhaustion is unspecified, best-effort behavior and is not a reliable basis for availability or security.”
Recommendation: Don’t rely on catching stack overflow errors. Prevent them by validating input depth and bounding recursion.
Important for Node.js v24+ users: Node.js v24 fundamentally changed AsyncLocalStorage’s implementation—it no longer uses async_hooks.createHook() internally8. This means:
async_hooks.createHook(): Still affected on all versionsIf you’re running Node.js v24.13.0+, CVE-2025-59466 is primarily a concern if you:
async_hooks.createHook() (check vendor documentation)async_hooks.createHook()Bottom line: The risk profile for Next.js applications is significantly different between Node.js v20-v23 (high risk) and v24+ (lower risk). Upgrade regardless, but understand the context.
Further Reading: Node.js published a detailed companion blog post: Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users
Affected Versions: 20.x, 22.x, 24.x
Reporter: giant_anteater
Fix By: RafaelGSS
A memory leak in Node.js’s OpenSSL integration occurs when converting X.509 certificate fields to UTF-8 without freeing the allocated buffer. When applications call socket.getPeerCertificate(true), each certificate field leaks memory.
Impact:
Remote clients can trigger steady memory growth through repeated TLS connections. Over time, this leads to resource exhaustion and denial of service.
Affected Pattern:
// TLS server processing client certificates
server.on('secureConnection', (socket) => {
// Each call leaks memory
const cert = socket.getPeerCertificate(true);
// Memory never freed for certificate fields
});Who Is Affected:
Applications that process TLS client certificates, particularly implementations and certificate-based authentication systems.
Affected Versions: v25.x only
Reporter: mufeedvh
Fix By: RafaelGSS
A flaw in Node.js’s permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch.
Impact:
This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.
Note: Network permissions (--allow-net) are still in the experimental phase.
Who Is Affected:
Only users of the Node.js permission model on version v25.x. If you’re using v20, v22, or v24, or not using the permission model, this CVE does not apply.
Affected Versions: All versions using PSK or ALPN callbacks
Reporter: 0xmaxhax
Fix By: mcollina
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error).
Impact:
This causes either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue.
Who Is Affected:
TLS servers using Pre-Shared Key (PSK) authentication or Application-Layer Protocol Negotiation (ALPN) callbacks that may throw exceptions.
Affected Versions: 20.x, 22.x, 24.x, 25.x (permissions model users)
Reporter: oriotie
Fix By: RafaelGSS
A flaw in Node.js’s permission model allows a file’s access and modification timestamps to be changed via futimes() even when the process has only read permissions. Unlike utimes(), futimes() does not apply the expected write-permission checks.
Impact:
File metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs and audit trails.
Who Is Affected:
Only users of the Node.js permission model. Low impact for most deployments.
Upgrade immediately - All active Node.js release lines (20.x, 22.x, 24.x, 25.x) are affected by at least 6 of the 8 CVEs
HTTP/2 servers need error handlers - CVE-2025-59465 can crash servers that lack explicit TLS socket error handling
AsyncLocalStorage affects most modern apps - If you use Next.js, React Server Components, or any APM tool, CVE-2025-59466 applies to you
Prevent stack overflow, don’t catch it - Input validation and recursion depth limits are more reliable than error handling
Permission model users: patch urgently - Multiple CVEs break file system and network isolation guarantees
Pin your Node.js version - Use .nvmrc and .node-version files to ensure consistent versions across development and CI/CD
Subscribe to security notifications - Join the nodejs-sec mailing list for future advisories
Subscribe to the low-volume, announcement-only nodejs-sec mailing list: groups.google.com/forum/#!forum/nodejs-sec
Node.js 20 Released, Features Experimental Permission Model - InfoQ
c-ares vulnerabilities - Official c-ares vulnerability database
The January 2026 Security Update Review - Zero Day Initiative (undici CVE-2026-22036)
| 20.20.0 |
| Release Notes |
| Yes |
| HTTP/2 servers |
| CVE-2025-59466 | Medium | Yes | Yes | Yes | Yes | AsyncLocalStorage users |
| CVE-2025-59464 | Medium | Yes | Yes | Yes | No | TLS cert processing |
| CVE-2026-21636 | Medium | No | No | No | Yes | v25 permissions model |
| CVE-2026-21637 | Medium | Yes | Yes | Yes | Yes | PSK/ALPN callback users |
| CVE-2025-55132 | Low | Yes | Yes | Yes | Yes | Permissions model only |
| Upgrade + review recursion depth limits |
| MEDIUM-HIGH |
Functions: cookies | Next.js - Official Next.js documentation on AsyncLocalStorage usage
Monitoring and Tracing | Hive Gateway - OpenTelemetry integration guide
Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion - Node.js Official Blog (AsyncLocalStorage v24 reimplementation)