LOG IN
SIGN UP
Tech Job Finder - Find Software, Technology Sales and Product Manager Jobs.
Sign In
OR continue with e-mail and password
E-mail address
Password
Don't have an account?
Reset password
Join Tech Job Finder
OR continue with e-mail and password
E-mail address
First name
Last name
Username
Password
Confirm Password
How did you hear about us?
By signing up, you agree to our Terms & Conditions and Privacy Policy.
Back to NewsJavaScript

New Critical Denial-of-Service Node.js Vulnerability Disclosed

New Critical Denial-of-Service Node.js Vulnerability Disclosed

Node.js, the popular JavaScript runtime, has addressed a critical denial-of-service (DoS) vulnerability that could cause unrecoverable server crashes, affecting a vast majority of production applications. The flaw, tracked as CVE-2025-59466, was patched in security updates released earlier this month, prompting urgent calls for developers to upgrade their systems.

The vulnerability arises from inconsistencies in how Node.js handles stack overflows when the async_hooks module is enabled. Async_hooks is a core API used to monitor asynchronous operations, such as promises and HTTP requests, and is commonly activated by application performance monitoring (APM) tools and frameworks like AsyncLocalStorage in newer Node.js versions. Under normal circumstances, Node.js attempts to recover from stack exhaustion by throwing a catchable "Maximum call stack size exceeded" error, allowing applications to handle it gracefully through try-catch blocks or uncaught exception handlers.

However, when async_hooks is in use, this recovery mechanism fails. Instead, the process exits abruptly with code 7, indicating an internal exception handler runtime failure, bypassing all error-handling mechanisms. This behavior turns a potentially manageable error into a severe DoS risk, as attackers could exploit it by crafting inputs that trigger deep recursion, such as overly nested data structures in API requests.

Node.js maintainers described the issue as impacting "virtually every production Node.js app," particularly those using popular frameworks like React or Next.js, which often integrate APM solutions from providers such as Datadog or New Relic. Even applications not directly using APM may be affected if they rely on AsyncLocalStorage for context propagation in versions 20 and 22. The Common Weakness Enumeration (CWE) categorizes this as CWE-758, highlighting the ecosystem's reliance on undefined behavior in JavaScript error recovery.

The patches were included in the January 13, 2026, security releases, covering active LTS lines: Node.js 20.20.0, 22.22.0, 24.13.0, and the current 25.3.0. The fix ensures that stack overflow errors are re-thrown as catchable exceptions, maintaining consistency regardless of async_hooks usage. Node.js security team members Matteo Collina and Joyee Cheung detailed the issue in an official blog post, emphasizing that while the patch mitigates the immediate DoS vector, the broader reliance on non-guaranteed error recovery remains a concern.

"Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability," Collina and Cheung wrote. "A bug that only reproduces when async_hooks are used would break this attempt, causing Node.js to exit with 7 directly without throwing a catchable error."

The vulnerability received a CVSS score of 7.5, classifying it as high severity due to its impact on availability and low complexity for exploitation. Despite being labeled "medium" in some Node.js documentation, security experts have urged immediate action, noting its potential for widespread disruption. Older versions, such as Node.js 18, which reached end-of-life, will not receive the fix, requiring users to migrate to supported releases.

This flaw was part of a broader set of seven vulnerabilities addressed in the January releases, including a high-severity HTTP/2 server crash (CVE-2025-59465) caused by malformed HEADERS frames, and medium-severity issues like memory leaks in TLS handling and permission model bypasses in the file system module. Distributions such as Mageia have already incorporated these updates into their packages, advising users to apply them promptly.

Industry responses have been swift. SentinelOne, a cybersecurity firm, published a detailed analysis of CVE-2025-59466, recommending upgrades and code reviews to avoid deep recursion in user-controlled inputs. Developer Dhanush Nehru, in a Medium post, highlighted the risks for Node.js users, stating, "The vulnerability (CVE-2025-59466) is a stack overflow issue inside a core Node.js component called async hooks." On platforms like LinkedIn and Reddit, IT professionals have shared alerts, with NetManageIT posting about the flaw's impact on production environments.

Experts warn that while the patch addresses the async_hooks-specific failure, developers should not depend on stack overflow recovery for reliability. Stack sizes vary by environment—typically around 1MB but configurable via flags like --stack-size—and can lead to unpredictable behavior in multi-threaded setups. Best practices include refactoring recursive code to iterative alternatives, implementing input validation to limit nesting depths, and using monitoring tools to detect abnormal stack usage.

For cloud-hosted applications, services like AWS Lambda or Google Cloud Run may offer automatic restarts, but they do not eliminate the DoS potential. APM providers have issued advisories; for instance, Datadog confirmed that their agents enable async_hooks, increasing exposure, and recommended immediate patching.

The discovery of CVE-2025-59466 underscores ongoing challenges in JavaScript runtimes, where low-level APIs like async_hooks provide essential functionality but introduce subtle risks. Node.js, maintained by the OpenJS Foundation, continues to evolve, with proposals for standardizing error behaviors in ECMAScript potentially addressing similar issues in the future.

As of January 30, no public exploits have been reported, but security researchers advise vigilance. "This is a wake-up call for the Node.js community," said a spokesperson from the Lifeboat Foundation, echoing sentiments shared on social media. With Node.js powering millions of web services, from e-commerce platforms to real-time applications, timely updates are essential to prevent disruptions.

Developers are encouraged to check the official Node.js security blog for full details and upgrade instructions. The patches are available via npm or direct downloads from nodejs.org.

💬Comments

Sign in to join the discussion.

🗨️

No comments yet. Be the first to share your thoughts!