Node.js Patches Critical DoS Vulnerability Affecting Widespread Ecosystem
Node.js has released urgent security updates to address a critical denial-of-service (DoS) vulnerability (CVE-2025-59466, CVSS 7.5) that could crash nearly all production Node.js applications if exploited. The flaw arises when stack space exhaustion occurs in user code while the async_hooks API is enabled, causing Node.js to exit abruptly with an error code (7) instead of throwing a catchable exception.
The issue stems from a bug in Node.js’s handling of stack overflows in conjunction with async_hooks, a low-level API used to track asynchronous operations. Frameworks and Application Performance Monitoring (APM) tools including React Server Components, Next.js, Datadog, New Relic, Dynatrace, Elastic APM, and OpenTelemetry are affected due to their reliance on AsyncLocalStorage, a component built on async_hooks.
The vulnerability impacts all Node.js versions from 8.x (released in 2017) through 18.x, though only supported LTS and current releases have received patches. Fixed versions include:
- Node.js 20.20.0 (LTS)
- Node.js 22.22.0 (LTS)
- Node.js 24.13.0 (LTS)
- Node.js 25.3.0 (Current)
End-of-life (EoL) versions (8.x–18.x) remain unpatched. The fix rethrows stack overflow errors to user code rather than treating them as fatal, improving error handling predictability. Node.js acknowledged the fix as a mitigation, citing limitations in the ECMAScript specification and V8’s stance on stack exhaustion.
Alongside this flaw, Node.js patched three additional high-severity vulnerabilities (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465) enabling data leakage, symlink-based file reads, and remote DoS attacks. The updates underscore the need for prompt upgrades in affected environments.
Source: https://thehackernews.com/2026/01/critical-nodejs-vulnerability-can-cause.html
Node.js TPRM report: https://www.rankiteo.com/company/node.js-foundation
Dynatrace TPRM report: https://www.rankiteo.com/company/dynatrace
"id": "noddyn1768467414",
"linkid": "node.js-foundation, dynatrace",
"type": "Vulnerability",
"date": "1/2026",
"severity": "75",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Virtually every production '
'Node.js app',
'industry': 'Technology/Software Development',
'name': 'Node.js',
'type': 'Software Framework'},
{'industry': 'Technology/Web Development',
'name': 'React Server Components',
'type': 'Framework'},
{'industry': 'Technology/Web Development',
'name': 'Next.js',
'type': 'Framework'},
{'industry': 'Technology/Monitoring',
'name': 'Datadog',
'type': 'Application Performance Monitoring (APM)'},
{'industry': 'Technology/Monitoring',
'name': 'New Relic',
'type': 'Application Performance Monitoring (APM)'},
{'industry': 'Technology/Monitoring',
'name': 'Dynatrace',
'type': 'Application Performance Monitoring (APM)'},
{'industry': 'Technology/Monitoring',
'name': 'Elastic APM',
'type': 'Application Performance Monitoring (APM)'},
{'industry': 'Technology/Monitoring',
'name': 'OpenTelemetry',
'type': 'Observability Framework'}],
'attack_vector': 'Unsanitized input controlling recursion depth',
'customer_advisories': 'Users of affected frameworks/tools and server hosting '
'providers recommended to update immediately',
'description': 'Node.js released updates to fix a critical security issue '
'impacting production Node.js applications that could trigger '
'a denial-of-service (DoS) condition. The bug causes Node.js '
'to exit with code 7 when stack space is exhausted in user '
'code while async_hooks is enabled, instead of throwing a '
'catchable error. This affects applications whose recursion '
'depth is controlled by unsanitized input.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'service outages',
'downtime': 'Potential service unavailability due to process '
'termination',
'operational_impact': 'Denial-of-service leading to service '
'disruption',
'systems_affected': 'Node.js applications using async_hooks or '
'frameworks/tools relying on '
'AsyncLocalStorage'},
'investigation_status': 'Resolved (mitigated via patches)',
'lessons_learned': 'Stack space exhaustion in user code with async_hooks '
'enabled can lead to unexpected process termination. '
'Frameworks and APM tools relying on AsyncLocalStorage are '
'particularly vulnerable. Robust defenses against stack '
'space exhaustion are necessary to ensure service '
'availability.',
'post_incident_analysis': {'corrective_actions': 'Detect stack overflow '
'errors and re-throw them to '
'user code; release patched '
'versions',
'root_causes': 'Bug in Node.js/V8 where stack '
'space exhaustion with async_hooks '
'enabled causes process termination '
'instead of throwing a catchable '
'error'},
'recommendations': ['Update to patched Node.js versions (20.20.0, 22.22.0, '
'24.13.0, 25.3.0) as soon as possible',
'Apply more robust defenses to counter stack space '
'exhaustion in libraries and frameworks',
'Ensure error handling is predictable and does not rely '
'on unspecified behaviors'],
'references': [{'source': 'Node.js Bulletin'}],
'response': {'communication_strategy': 'Public bulletin released by Node.js '
'maintainers',
'containment_measures': 'Node.js released patched versions '
'(20.20.0, 22.22.0, 24.13.0, 25.3.0) to '
'mitigate the issue',
'recovery_measures': 'Users and maintainers advised to update to '
'patched versions',
'remediation_measures': 'Detect stack overflow errors and '
're-throw them to user code instead of '
'treating them as fatal'},
'stakeholder_advisories': 'Maintainers of libraries and frameworks advised to '
'apply robust defenses against stack space '
'exhaustion',
'title': 'Node.js Critical Security Issue Leading to Denial-of-Service (DoS)',
'type': 'Denial-of-Service (DoS)',
'vulnerability_exploited': 'Stack space exhaustion in user code with '
'async_hooks enabled'}