Jan 14, 2026Ravie LakshmananApplication Safety / Vulnerability
Node.js has launched updates to repair what it described as a vital safety challenge impacting “just about each manufacturing Node.js app” that, if efficiently exploited, may set off a denial-of-service (DoS) situation.
“Node.js/V8 makes a best-effort try to get well from stack area exhaustion with a catchable error, which frameworks have come to depend on for service availability,” Node.js’s Matteo Collina and Joyee Cheung stated in a Tuesday bulletin.
“A bug that solely reproduces when async_hooks are used would break this try, inflicting Node.js to exit with 7 straight with out throwing a catchable error when recursions in consumer code exhaust the stack area. This makes functions whose recursion depth is managed by unsanitized enter susceptible to Denial-of-Service assaults.”
At its core, the shortcoming stems from the truth that Node.js exits with code 7 (denoting an Inner Exception Handler Run-Time Failure) as an alternative of gracefully dealing with the exception when a stack overflow happens in consumer code whereas async_hooks is enabled. Async_hooks is a low-level Node.js API that permits builders to trace the lifecycle of asynchronous assets, comparable to database queries, timers, or HTTP requests.
The difficulty, Node.js stated, impacts a number of frameworks and Software Efficiency Monitoring (APM) instruments, together with React Server Elements, Subsequent.js, Datadog, New Relic, Dynatrace, Elastic APM, and OpenTelemetry, owing to using AsyncLocalStorage, a element constructed atop the async_hooks module that makes it attainable to retailer knowledge all through the lifetime of an asynchronous operation.
It has been addressed within the following variations –
Node.js 20.20.0 (LTS)
Node.js 22.22.0 (LTS)
Node.js 24.13.0 (LTS)
Node.js 25.3.0 (Present)
The issue additionally impacts all Node.js variations from 8.x, which was the primary model with async_hooks, to 18.x. It is value noting that Node.js model 8.0.0, codenamed Carbon, was launched on Might 30, 2017. Nonetheless, these variations are unpatched as they’ve reached end-of-life (EoL) standing.
The repair put in place detects stack overflow errors and re-throws them to consumer code as an alternative of treating them as deadly. That is being tracked below the CVE identifier CVE-2025-59466 (CVSS rating: 7.5). Regardless of the numerous sensible affect, Node.js stated it is treating the repair as solely a mitigation owing to a few causes –
“Though it’s a bug repair for an unspecified habits, we selected to incorporate it within the safety launch due to its widespread affect on the ecosystem,” Node.js stated. “React Server Elements, Subsequent.js, and just about each APM instrument are affected. The repair improves developer expertise and makes error dealing with extra predictable.”
In mild of the severity of the vulnerability, customers of the frameworks/instruments and server internet hosting suppliers are beneficial to replace as quickly as attainable. Maintainers of libraries and frameworks are being beneficial to use extra sturdy defenses to counter stack area exhaustion and guarantee service availability.
The disclosure comes as Node.js additionally launched fixes for 3 different high-severity flaws (CVE-2025-55131, CVE-2025-55130, and CVE-2025-59465) that could possibly be exploited to attain knowledge leakage or corruption, learn delicate information utilizing crafted relative symbolic hyperlink (symlink) paths, and set off a distant denial-of-service, respectively.
