📄 Description (English)
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
🤖 AI Executive Summary
CVE-2025-59466 is a denial-of-service vulnerability in Node.js affecting versions 20, 22, and 24 when async_hooks or AsyncLocalStorage are enabled. The vulnerability causes uncatchable stack overflow errors that terminate the process instead of triggering exception handlers, making applications unrecoverable. This impacts any Node.js application using async context tracking, which is increasingly common in modern Saudi enterprise applications.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 2, 2026 11:02
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations relying on Node.js for backend services: (1) Banking/SAMA-regulated fintech platforms using async context for transaction tracking and request isolation; (2) Government digital transformation initiatives (NDMO, NCA) running Node.js microservices; (3) Telecom operators (STC, Mobily, Zain) using Node.js for API gateways and billing systems; (4) Healthcare providers using Node.js for patient data management systems; (5) E-commerce and digital payment platforms. The vulnerability enables remote attackers to trigger denial-of-service by inducing deep recursion, causing unrecoverable process crashes without proper error logging.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Telecommunications
Healthcare
E-commerce and Digital Payments
Energy and Utilities
Education
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Node.js applications using async_hooks.createHook() or AsyncLocalStorage (check package.json dependencies and code for these APIs)
2. Implement process monitoring and auto-restart mechanisms (PM2, systemd, Docker health checks) as temporary mitigation
3. Add request depth/recursion limits in application code to prevent stack exhaustion
PATCHING GUIDANCE:
1. Upgrade Node.js to patched versions: v20.x (20.13.0+), v22.x (22.3.0+), v24.x (24.1.0+)
2. Test patches in staging environment before production deployment
3. Coordinate with development teams to validate async_hooks functionality post-patch
COMPENSATING CONTROLS (if immediate patching not possible):
1. Disable async_hooks.createHook() and AsyncLocalStorage if not critical to application logic
2. Implement request timeout and recursion depth limits at application level
3. Deploy WAF rules to detect and block requests with excessive nesting/recursion patterns
4. Use reverse proxy (nginx) to limit request complexity and depth
DETECTION RULES:
1. Monitor for unexpected Node.js process crashes with 'Maximum call stack size exceeded' in logs
2. Alert on rapid process restarts (>5 restarts in 5 minutes)
3. Track error logs for uncaught exceptions that bypass process.on('uncaughtException')
4. Monitor CPU and memory spikes preceding process termination
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تطبيقات Node.js التي تستخدم async_hooks.createHook() أو AsyncLocalStorage (تحقق من package.json والكود)
2. تنفيذ آليات مراقبة العمليات وإعادة التشغيل التلقائي (PM2، systemd، Docker health checks) كتخفيف مؤقت
3. إضافة حدود عمق الطلب/التكرار في كود التطبيق لمنع استنزاف المكدس
إرشادات التصحيح:
1. ترقية Node.js إلى الإصدارات المصححة: v20.x (20.13.0+)، v22.x (22.3.0+)، v24.x (24.1.0+)
2. اختبار التصحيحات في بيئة التجريب قبل نشرها في الإنتاج
3. التنسيق مع فرق التطوير للتحقق من وظائف async_hooks بعد التصحيح
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تعطيل async_hooks.createHook() و AsyncLocalStorage إذا لم تكن حرجة
2. تنفيذ حدود انتظار الطلب وحدود عمق التكرار على مستوى التطبيق
3. نشر قواعد WAF للكشف عن طلبات التكرار المفرط
4. استخدام reverse proxy (nginx) لتحديد تعقيد الطلب
قواعد الكشف:
1. مراقبة أعطال عمليات Node.js غير المتوقعة مع 'Maximum call stack size exceeded'
2. تنبيهات إعادة التشغيل السريعة (>5 مرات في 5 دقائق)
3. تتبع سجلات الأخطاء للاستثناءات غير المعالجة
4. مراقبة ارتفاعات CPU والذاكرة قبل إنهاء العملية
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.12.2.1 - Change management procedures
ECC 2024 A.8.2.3 - User access management and segregation of duties
🔵 SAMA CSF
SAMA CSF ID.RA-1 - Asset management and vulnerability identification
SAMA CSF PR.IP-12 - Software development and change management
SAMA CSF DE.CM-1 - Detection and analysis of anomalies
🟡 ISO 27001:2022
ISO 27001:2022 A.12.2.1 - Change management
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
ISO 27001:2022 A.8.1.1 - Inventory of assets
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates for system components
PCI DSS 6.3.1 - Identification and remediation of security vulnerabilities
📦 Affected Products / CPE 4 entries
nodejs:node.js
nodejs:node.js
nodejs:node.js
nodejs:node.js