Node.js has released an update that fixes an issue described as a critical security issue that affects “virtually all production Node.js apps.” Exploitation of this issue could lead to a denial of service (DoS) condition.
“Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion due to catchable errors, which frameworks rely on to ensure service availability,” Node.js’ Matteo Collina and Joyee Cheung said in a Tuesday update.
“This attempt fails due to a bug that only reproduces when async_hooks are used, causing Node.js to exit directly at 7 without throwing a catchable error when stack space is exhausted due to recursion in user code. This makes applications where the depth of recursion is controlled by unsanitized input vulnerable to denial of service attacks.”
The core of this shortcoming stems from the fact that if a stack overflow occurs in user code while async_hooks is enabled, Node.js will not gracefully handle the exception and will exit with code 7 (indicating a runtime error in an internal exception handler). Async_hooks is a low-level Node.js API that allows developers to track the lifecycle of asynchronous resources such as database queries, timers, and HTTP requests.
According to Node.js, this issue affects several frameworks and application performance monitoring (APM) tools, including React Server Components, Next.js, Datadog, New Relic, Dynatrace, Elastic APM, and OpenTelemetry, due to the use of AsyncLocalStorage, a component built on the async_hooks module that allows you to save data for the entire lifetime of an asynchronous operation.
This issue has been resolved in the following versions:
Node.js 20.20.0 (LTS) Node.js 22.22.0 (LTS) Node.js 24.13.0 (LTS) Node.js 25.3.0 (current)
This issue also affects all Node.js versions from 8.x to 18.x, the first version with async_hooks. It’s worth noting that Node.js version 8.0.0, codenamed Carbon, was released on May 30, 2017. However, these versions have reached End of Life (EoL) status and are not patched.
The introduced fix detects stack overflow errors and rethrows them to user code instead of treating them as fatal errors. This is tracked with CVE identifier CVE-2025-59466 (CVSS score: 7.5). Despite the actual significant impact, Node.js said it is treating this fix as just a mitigation measure for several reasons.
“Although this is a bug fix for unspecified behavior, we chose to include it in a security release because it has broad ecosystem impact,” Node.js said. “React Server Components, Next.js, and virtually all APM tools are affected. This fix improves the developer experience and makes error handling more predictable.”
Given the severity of the vulnerability, users of frameworks/tools and server hosting providers are encouraged to update as soon as possible. Library and framework maintainers are encouraged to apply more robust defenses to combat stack space exhaustion and ensure service availability.
This disclosure comes at the same time that Node.js also released fixes for three other high-severity flaws (CVE-2025-55131, CVE-2025-55130, and CVE-2025-59465), which could be exploited to cause data disclosure or corruption, and crafted relative symbolic links (symlinks), respectively. The path could be used to read sensitive files or trigger a remote denial of service.
Source link
