Full Report
Node.js has released updates to fix what it described as a critical security issue impacting "virtually every production Node.js app" that, if successfully exploited, could trigger a denial-of-service (DoS) condition. "Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability," Node.js's
Analysis Summary
# Vulnerability: Node.js Denial of Service via async\_hooks Stack Exhaustion (Code 7 Exit)
## CVE Details
- CVE ID: CVE-2025-59466
- CVSS Score: 7.5 (High)
- CWE: [Not explicitly mentioned, related to Improper Handling of Exceptional Conditions]
## Affected Systems
- Products: Node.js runtime, frameworks utilizing `async_hooks` or `AsyncLocalStorage` (including React Server Components, Next.js, Datadog, New Relic, Dynatrace, Elastic APM, and OpenTelemetry).
- Versions: All Node.js versions from 8.x up to, but not including, the patched versions below (e.g., 18.x, 20.x, 22.x, 24.x, 25.x). Versions prior to 8.x containing `async_hooks` are also affected but are End-of-Life (EoL).
- Configurations: Requires the use of the `async_hooks` module (or components built upon it, like `AsyncLocalStorage`).
## Vulnerability Description
A critical issue exists in Node.js where recursion in user code, when controlled by unsanitized input, can exhaust the available stack space. Normally, Node.js/V8 attempts to recover from stack space exhaustion by throwing a catchable error, which application frameworks rely upon for service availability. However, a bug specifically when `async_hooks` are being used breaks this recovery mechanism. When the stack is exhausted, Node.js exits directly with exit code 7 (signifying an Internal Exception Handler Run-Time Failure) instead of throwing a catchable error. This bypasses standard exception handling and causes an immediate application crash.
## Exploitation
- Status: Vulnerability described, but no explicit confirmation of exploitation in the wild mentioned for this specific CVE.
- Complexity: Likely Low, as exploiting stack exhaustion via user-controlled recursion can often be achieved with specially crafted input leading to infinite or deep recursion.
- Attack Vector: Network (remote input triggering local stack overflow).
## Impact
- Confidentiality: Negligible (Primary impact is availability).
- Integrity: Negligible (Primary impact is availability).
- Availability: High (Successful exploitation leads to an unhandled, fatal application crash, causing Denial of Service (DoS)).
## Remediation
### Patches
The fix detects stack overflow errors and re-throws them to user code as catchable errors instead of immediately exiting with code 7.
Patches are available in the following versions:
- Node.js 20.20.0 (LTS)
- Node.js 22.22.0 (LTS)
- Node.js 24.13.0 (LTS)
- Node.js 25.3.0 (Current)
### Workarounds
No specific workarounds were detailed, but the vendor strongly recommends updating. If immediate patching is impossible, developers should implement robust defenses against stack space exhaustion, such as imposing strict recursion depth limits on code paths controlled by external input, especially when `async_hooks` are active.
## Detection
- Indicators of compromise: Unexpected application termination reporting exit code 7.
- Detection methods and tools: Monitoring application logs and process status for exit code 7. Frameworks/APM tools relying on tracing (which use `async_hooks`) might cease reporting if the runtime crashes unexpectedly.
## References
- Vendor Advisory: [nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks](https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks)
- Commit History: [github.com/nodejs/node/commit/ddadc31f09](https://github.com/nodejs/node/commit/ddadc31f09)
- Release Notes: [nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks](https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks) (Also mentions other CVEs released concurrently)