From c5a0b73d1008cc7f9da63c89bbe5702afdebee8c Mon Sep 17 00:00:00 2001
From: Matteo Collina <hello@matteocollina.com>
Date: Thu, 5 Feb 2026 23:55:48 +0100
Subject: [PATCH] doc: clarify EventEmitter error handling in threat model

Add documentation explaining that applications are expected to attach
'error' event handlers to EventEmitters that can emit errors, including
HTTP streams. Crashes resulting from missing error handlers are not
considered denial-of-service vulnerabilities in Node.js.
---
 SECURITY.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 34d8633cf1f27d..6213ca3d43a704 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -335,6 +335,18 @@ the community they pose.
   proper security boundaries between trusted application logic and untrusted
   user input.
 
+#### Unhandled 'error' Events on EventEmitters (CWE-248)
+
+* EventEmitters that can emit `'error'` events require the application to
+  attach an `'error'` event handler. This includes HTTP streams and other
+  Node.js core streams. If the application fails to attach an `'error'`
+  handler, the EventEmitter will throw an uncaught exception, which may
+  crash the process.
+* Crashes resulting from missing `'error'` handlers are not considered
+  denial-of-service vulnerabilities in Node.js. It is the application's
+  responsibility to properly handle errors by attaching appropriate
+  `'error'` event listeners to EventEmitters that may emit errors.
+
 ## Assessing experimental features reports
 
 Experimental features are eligible for security reports just like any other