A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ```
https://thehackernews.com/2026/01/critical-nodejs-vulnerability-can-cause.html
https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-59465.json
https://bugzilla.redhat.com/show_bug.cgi?id=2431349
https://access.redhat.com/security/cve/CVE-2025-59465
https://access.redhat.com/errata/RHSA-2026:7387
https://access.redhat.com/errata/RHSA-2026:7386
https://access.redhat.com/errata/RHSA-2026:6431
https://access.redhat.com/errata/RHSA-2026:6402
https://access.redhat.com/errata/RHSA-2026:2899
https://access.redhat.com/errata/RHSA-2026:2864
https://access.redhat.com/errata/RHSA-2026:2783
https://access.redhat.com/errata/RHSA-2026:2782
https://access.redhat.com/errata/RHSA-2026:2781
https://access.redhat.com/errata/RHSA-2026:2768
https://access.redhat.com/errata/RHSA-2026:2767
https://access.redhat.com/errata/RHSA-2026:2422
https://access.redhat.com/errata/RHSA-2026:2421
https://access.redhat.com/errata/RHSA-2026:2420