Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow

Application Security / Vulnerability

Node.js has released updates to fix what it described as a critical security issue impacting “virtually every production Node.js app” that, if successfully exploited, could trigger a denial-of-service (DoS) condition.

“Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability,” Node.js’s Matteo Collina and Joyee Cheung said in a Tuesday bulletin.

“A bug that only reproduces when async_hooks are used would break this attempt, causing Node.js to exit with 7 directly without throwing a catchable error when recursions in user code exhaust the stack space. This makes applications whose recursion depth is controlled by unsanitized input vulnerable to Denial-of-Service attacks.”

At its core, the shortcoming stems from the fact that Node.js exits with code 7 (denoting an Internal Exception Handler Run-Time Failure) instead of gracefully handling the exception when a stack overflow occurs in user code while async_hooks is enabled. Async_hooks is a low-level Node.js API that allows developers to track the lifecycle of asynchronous resources, such as database queries, timers, or HTTP requests.

The issue, Node.js said, impacts several frameworks and Application Performance Monitoring (APM) tools, including React Server Components, Next.js, Datadog, New Relic, Dynatrace, Elastic APM, and OpenTelemetry, owing to the use of AsyncLocalStorage, a component built atop the async_hooks module that makes it possible to store data throughout the lifetime of an asynchronous operation.

It has been addressed in the following versions -

• Node.js 20.20.0 (LTS)
• Node.js 22.22.0 (LTS)
• Node.js 24.13.0 (LTS)
• Node.js 25.3.0 (Current)

The problem also impacts all Node.js versions from 8.x, which was the first version with async_hooks, to 18.x. It’s worth noting that Node.js version 8.0.0, codenamed Carbon, was released on May 30, 2017. However, these versions are unpatched as they have reached end-of-life (EoL) status.

The fix put in place detects stack overflow errors and re-throws them to user code instead of treating them as fatal. This is being tracked under the CVE identifier CVE-2025-59466 (CVSS score: 7.5). Despite the significant practical impact, Node.js said it’s treating the fix as only a mitigation owing to a couple of reasons -

• Stack space exhaustion is not part of the ECMAScript specification
• The V8 JavaScript engine does not treat it as a security issue
• Limitations with the “uncaughtException” handler, which is designed to be used as a last resort mechanism for exception handling

“Although it is a bug fix for an unspecified behavior, we chose to include it in the security release because of its widespread impact on the ecosystem,” Node.js said. “React Server Components, Next.js, and virtually every APM tool are affected. The fix improves developer experience and makes error handling more predictable.”

In light of the severity of the vulnerability, users of the frameworks/tools and server hosting providers are recommended to update as soon as possible. Maintainers of libraries and frameworks are being recommended to apply more robust defenses to counter stack space exhaustion and ensure service availability.

The disclosure comes as Node.js also released fixes for three other high-severity flaws (CVE-2025-55131, CVE-2025-55130, and CVE-2025-59465) that could be exploited to achieve data leakage or corruption, read sensitive files using crafted relative symbolic link (symlink) paths, and trigger a remote denial-of-service, respectively.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.