Node.js patches a critical vulnerability affecting virtually all production applications that could crash servers via async_hooks stack overflow.
A newly patched Node.js vulnerability poses a severe threat to virtually every production application using the JavaScript runtime, enabling attackers to crash servers through carefully crafted recursive operations. Designated as CVE-2025-59466 (CVSS 7.5), this flaw allows denial-of-service attacks when malicious input triggers stack exhaustion while async_hooks are enabled.
Node.js core contributors Matteo Collina and Joyee Cheung explained the gravity in their security bulletin: "Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error... A bug that reproduces when async_hooks are used breaks this attempt, causing Node.js to exit directly without throwing a catchable error." This bypasses standard exception handling mechanisms that applications rely on for maintaining availability.
The vulnerability resides in how Node.js handles stack overflows within user code when the async_hooks module is active. This low-level API, used for tracking asynchronous resource lifecycles, becomes a vector for crashes when combined with unsanitized recursive operations. The impact extends through popular frameworks and monitoring tools including:
- React Server Components
- Next.js
- APM solutions from Datadog, New Relic, Dynatrace, and Elastic APM
These tools commonly use AsyncLocalStorage, an async_hooks-based component that maintains context across asynchronous operations. When exploited, attackers can force Node.js processes to terminate with exit code 7 (Internal Exception Handler Run-Time Failure).
Patched versions include:
- Node.js 20.20.0 (LTS)
- Node.js 22.22.0 (LTS)
- Node.js 24.13.0 (LTS)
- Node.js 25.3.0 (Current)
All versions from 8.x (the first with async_hooks) to 18.x remain vulnerable without patches since they've reached end-of-life. The fix modifies exception handling to re-throw stack overflow errors to user code instead of treating them as fatal.
Despite being labeled a "critical" security release, Node.js maintainers emphasize this is technically a mitigation rather than a full specification-compliant solution. "Stack space exhaustion isn't part of ECMAScript specifications, and V8 doesn't treat it as a security issue," the bulletin notes. However, the practical impact on production systems warranted urgent action.
Immediate Actions:
- Upgrade Node.js installations to patched versions immediately
- Framework/library maintainers should implement recursion depth limits
- Validate all user-input controlling recursion depth
- Monitor for abnormal process terminations (exit code 7)
Simultaneously, Node.js patched three high-severity flaws:
- CVE-2025-55131: Data leakage/corruption risk
- CVE-2025-55130: Sensitive file read via crafted symlinks
- CVE-2025-59465: Remote denial-of-service vector
This vulnerability underscores the cascading risks in dependency chains—even foundational tools like async_hooks can introduce systemic fragility. Production environments should prioritize testing updates in staging before deployment.
Comments
Please log in or register to join the discussion