doc: clarify EventEmitter error handling in threat model

mcollina · aduh95 · commit 439b816bc737 · 2026-02-08T10:10:46.000+01:00
Add documentation explaining that applications are expected to attach 'error' event handlers to EventEmitters that can emit errors, including HTTP streams. Crashes resulting from missing error handlers are not considered denial-of-service vulnerabilities in Node.js. PR-URL: #61701 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
diff --git a/SECURITY.md b/SECURITY.md
@@ -335,6 +335,18 @@ the community they pose.
   proper security boundaries between trusted application logic and untrusted
   user input.
 
+#### Unhandled 'error' Events on EventEmitters (CWE-248)
+
+* EventEmitters that can emit `'error'` events require the application to
+  attach an `'error'` event handler. This includes HTTP streams and other
+  Node.js core streams. If the application fails to attach an `'error'`
+  handler, the EventEmitter will throw an uncaught exception, which may
+  crash the process.
+* Crashes resulting from missing `'error'` handlers are not considered
+  denial-of-service vulnerabilities in Node.js. It is the application's
+  responsibility to properly handle errors by attaching appropriate
+  `'error'` event listeners to EventEmitters that may emit errors.
+
 ## Assessing experimental features reports
 
 Experimental features are eligible for security reports just like any other
