Node.js has launched updates to repair what it described as a important safety difficulty impacting “just about each manufacturing Node.js app” that, if efficiently exploited, might set off a denial-of-service (DoS) situation.
“Node.js/V8 makes a best-effort try and get better from stack area exhaustion with a catchable error, which frameworks have come to depend on for service availability,” Node.js’s Matteo Collina and Joyee Cheung mentioned in a Tuesday bulletin.
“A bug that solely reproduces when async_hooks are used would break this try, inflicting Node.js to exit with 7 instantly with out throwing a catchable error when recursions in consumer code exhaust the stack area. This makes functions whose recursion depth is managed by unsanitized enter weak to Denial-of-Service assaults.”
At its core, the shortcoming stems from the truth that Node.js exits with code 7 (denoting an Inner Exception Handler Run-Time Failure) as a substitute of gracefully dealing with the exception when a stack overflow happens in consumer code whereas async_hooks is enabled. Async_hooks is a low-level Node.js API that permits builders to trace the lifecycle of asynchronous assets, similar to database queries, timers, or HTTP requests.
The problem, Node.js mentioned, impacts a number of frameworks and Software Efficiency Monitoring (APM) instruments, together with React Server Elements, Subsequent.js, Datadog, New Relic, Dynatrace, Elastic APM, and OpenTelemetry, owing to the usage of AsyncLocalStorage, a part constructed atop the async_hooks module that makes it potential to retailer information all through the lifetime of an asynchronous operation.
It has been addressed within the following variations –
- Node.js 20.20.0 (LTS)
- Node.js 22.22.0 (LTS)
- Node.js 24.13.0 (LTS)
- Node.js 25.3.0 (Present)
The issue additionally impacts all Node.js variations from 8.x, which was the primary model with async_hooks, to 18.x. It is value noting that Node.js model 8.0.0, codenamed Carbon, was launched on Might 30, 2017. Nonetheless, these variations are unpatched as they’ve reached end-of-life (EoL) standing.
The repair put in place detects stack overflow errors and re-throws them to consumer code as a substitute of treating them as deadly. That is being tracked beneath the CVE identifier CVE-2025-59466 (CVSS rating: 7.5). Regardless of the numerous sensible impression, Node.js mentioned it is treating the repair as solely a mitigation owing to a few causes –
“Though it’s a bug repair for an unspecified conduct, we selected to incorporate it within the safety launch due to its widespread impression on the ecosystem,” Node.js mentioned. “React Server Elements, Subsequent.js, and just about each APM instrument are affected. The repair improves developer expertise and makes error dealing with extra predictable.”
In gentle of the severity of the vulnerability, customers of the frameworks/instruments and server internet hosting suppliers are really helpful to replace as quickly as potential. Maintainers of libraries and frameworks are being really helpful to use extra sturdy defenses to counter stack area exhaustion and guarantee service availability.
The disclosure comes as Node.js additionally launched fixes for 3 different high-severity flaws (CVE-2025-55131, CVE-2025-55130, and CVE-2025-59465) that could possibly be exploited to attain information leakage or corruption, learn delicate recordsdata utilizing crafted relative symbolic hyperlink (symlink) paths, and set off a distant denial-of-service, respectively.
