Node.js async_hooks stack overflow flaw (CVE-2025-59466)
Vulnerability
Summary
Hide ▲
Show ▼
Node.js fixed a critical async_hooks stack overflow flaw that can force the runtime to exit instead of handling stack exhaustion gracefully, creating denial-of-service risk for virtually every production Node.js app that relies on this behavior. The bug affects applications where recursion depth can be driven by unsanitized input, and it is tracked as CVE-2025-59466. The patch is available in Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0.
Timeline
-
14.01.2026 09:05 2 articles · 4mo ago
Node.js releases fixes for async_hooks stack overflow DoS
Mitigation Patch UpdateNode.js released security updates on January 14, 2026 to address CVE-2025-59466, a critical async_hooks stack overflow issue that can cause Node.js to exit with code 7 instead of throwing a catchable error, creating denial-of-service risk for applications whose recursion depth is driven by unsanitized input. The fixed releases are Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0, and the issue affects React Server Components, Next.js, Datadog, New Relic, Dynatrace, Elastic APM, and OpenTelemetry through AsyncLocalStorage.
Show sources
- Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow — thehackernews.com — 14.01.2026 09:05
- Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow — thehackernews.com — 14.01.2026 09:05