Critical Node.js async_hooks Stack Overflow Vulnerability
Summary
Hide ▲
Show ▼
Node.js has released updates to address a critical vulnerability (CVE-2025-59466) that can cause server crashes via stack overflow in applications using async_hooks. The flaw allows denial-of-service (DoS) attacks when recursion in user code exhausts stack space, affecting multiple frameworks and APM tools. The issue impacts Node.js versions from 8.x to 18.x, though only LTS and current versions have received patches.
Timeline
-
14.01.2026 09:05 1 articles · 23h ago
Node.js Releases Patches for Critical async_hooks Stack Overflow Vulnerability
Node.js has released updates to address a critical vulnerability (CVE-2025-59466) that can cause server crashes via stack overflow in applications using async_hooks. The flaw affects multiple frameworks and APM tools, with patches available for LTS and current versions. The issue impacts Node.js versions from 8.x to 18.x, though end-of-life versions remain unpatched.
Show sources
- Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow — thehackernews.com — 14.01.2026 09:05
Information Snippets
-
The vulnerability causes Node.js to exit with code 7 (Internal Exception Handler Run-Time Failure) instead of gracefully handling stack overflow errors when async_hooks is enabled.
First reported: 14.01.2026 09:051 source, 1 articleShow sources
- Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow — thehackernews.com — 14.01.2026 09:05
-
Affected frameworks and APM tools include React Server Components, Next.js, Datadog, New Relic, Dynatrace, Elastic APM, and OpenTelemetry due to their use of AsyncLocalStorage.
First reported: 14.01.2026 09:051 source, 1 articleShow sources
- Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow — thehackernews.com — 14.01.2026 09:05
-
The vulnerability is addressed in Node.js versions 20.20.0, 22.22.0, 24.13.0, and 25.3.0. End-of-life versions from 8.x to 18.x remain unpatched.
First reported: 14.01.2026 09:051 source, 1 articleShow sources
- Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow — thehackernews.com — 14.01.2026 09:05
-
The fix detects stack overflow errors and re-throws them to user code, improving error handling predictability.
First reported: 14.01.2026 09:051 source, 1 articleShow sources
- Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow — thehackernews.com — 14.01.2026 09:05
-
Node.js treats the fix as a mitigation due to stack space exhaustion not being part of the ECMAScript specification and V8 not treating it as a security issue.
First reported: 14.01.2026 09:051 source, 1 articleShow sources
- Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow — thehackernews.com — 14.01.2026 09:05