Node.js Fixes Critical DoS Flaw That Could Crash “Virtually Every Production App”

by | Jan 14, 2026 | News

Node.js Fixes Critical DoS Flaw That Could Crash “Virtually Every Production App”

Post Views: 168




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

Critical Flaw With Ecosystem-Wide Impact

The Node.js project has released security updates to address a critical issue that could cause denial-of-service (DoS) conditions in what maintainers describe as “virtually every production Node.js app.”

The flaw, tracked as CVE-2025-59466 (CVSS score: 7.5), affects how Node.js handles stack space exhaustion when the low-level async_hooks API is enabled. Under specific conditions, the bug causes Node.js to terminate abruptly instead of throwing a recoverable exception, allowing attackers to crash applications by triggering deep recursion.

Root Cause: Stack Overflow + async_hooks = Hard Crash

Node.js normally attempts to recover gracefully from stack overflows by throwing a catchable error, which many frameworks rely on to maintain availability.

However, maintainers Matteo Collina and Joyee Cheung explained that a long-standing bug breaks this behavior when async_hooks is in use:

“Node.js exits with code 7 directly without throwing a catchable error when recursions in user code exhaust the stack space.”

Exit code 7 corresponds to an Internal Exception Handler Run-Time Failure, meaning the process terminates immediately.

This becomes dangerous when recursion depth is influenced by unsanitized user input, allowing attackers to intentionally crash services.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses



Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Why So Many Apps Are Affected

The issue has far-reaching consequences because async_hooks underpins AsyncLocalStorage, which is widely used across the Node.js ecosystem.

As a result, many popular frameworks and observability tools are impacted, including:

  • React Server Components
  • Next.js
  • Datadog
  • New Relic
  • Dynatrace
  • Elastic APM
  • OpenTelemetry

Any application or dependency that relies on AsyncLocalStorage for request tracing, context propagation, or monitoring is potentially vulnerable.

Fixed Node.js Versions

The flaw has been addressed in the following releases:

  • Node.js 20.20.0 (LTS)
  • Node.js 22.22.0 (LTS)
  • Node.js 24.13.0 (LTS)
  • Node.js 25.3.0 (Current)

The fix ensures that stack overflow errors are re-thrown to user code, restoring predictable error handling instead of triggering a fatal crash.

Older Versions Remain Vulnerable

The issue affects all Node.js versions from 8.x through 18.x, dating back to Node.js 8.0.0 (Carbon) released in May 2017.

However, these versions remain unpatched because they have reached end-of-life (EoL) and no longer receive security updates.

Organizations still running legacy Node.js versions are therefore permanently exposed unless they upgrade.

Trending: Network Eavesdropping via Man-in-the-Middle on Internal Communications




Trending: Offensive Security Tool: EvilWAF – Web Application Firewall Bypass Toolkit

Why Node.js Calls This a “Mitigation,” Not a Full Fix

Despite its impact, the Node.js team classified the change as a mitigation rather than a strict security fix, citing several reasons:

  • Stack space exhaustion is not defined in the ECMAScript specification
  • The V8 engine does not consider it a security issue
  • Limitations exist with the uncaughtException handler, which is intended only as a last-resort mechanism

Still, Node.js acknowledged the real-world consequences:

“We chose to include it in the security release because of its widespread impact on the ecosystem. The fix improves developer experience and makes error handling more predictable.”

Additional High-Severity Fixes Released

Alongside CVE-2025-59466, Node.js also patched three other high-severity vulnerabilities:

  • CVE-2025-55131 – Data leakage or corruption
  • CVE-2025-55130 – Arbitrary file read via crafted relative symlink paths
  • CVE-2025-59465 – Remote denial-of-service

Recommended Actions

Given the scale of impact, Node.js users are strongly advised to:

  • Upgrade immediately to a patched Node.js version
  • Audit applications for unbounded or user-controlled recursion
  • Apply additional safeguards in frameworks and libraries
  • Ensure production systems are not running EoL Node.js releases

For organizations relying on React, Next.js, or APM tooling, the update is particularly urgent to avoid trivial service crashes.

Trending: Actively Exploited D-Link Router Flaw Enables Unauthenticated Remote Code Execution

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Sources: thehackernews.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This