Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow

Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow

Node.js recently released updates to address a critical denial-of-service (DoS) vulnerability, tracked as CVE-2025-59466, affecting virtually all production Node.js applications. The flaw stems from improper stack overflow handling when using the async_hooks module, potentially leading to unrecoverable application crashes.

Why This Matters

Current Node.js error handling relies on V8’s ability to catch stack exhaustion, allowing frameworks to maintain availability; however, this bug bypasses that mechanism when async_hooks are enabled. This can lead to immediate application termination instead of a recoverable error, potentially causing significant downtime and impacting services dependent on Node.js backends, costing organizations in lost revenue and reputation.

Key Insights

• CVE-2025-59466 (CVSS score: 7.5): Identifies the critical DoS vulnerability related to stack overflow handling with async_hooks.
• AsyncLocalStorage: A component built on async_hooks used by popular frameworks like React Server Components and Next.js, increasing the vulnerability’s reach.
• Affected Ecosystem: Frameworks like Datadog, New Relic, Dynatrace, and APM tools are also impacted due to their reliance on async_hooks.

Practical Applications

• Use Case: APM tools like Datadog use async_hooks to trace asynchronous operations, but are vulnerable to crashes if a stack overflow occurs.
• Pitfall: Relying on Node.js’s default stack overflow handling without considering the impact of async_hooks can lead to unexpected application failures.

References:

• https://thehackernews.com/2026/01/critical-nodejs-vulnerability-can-cause.html