Critical Security Update for Node.js
Node.js has recently implemented crucial updates addressing a significant security vulnerability that affects nearly all production applications utilizing this platform. If attackers exploit this flaw, it could lead to a denial-of-service (DoS) situation, causing the applications to become unavailable.
Understanding the Vulnerability
The issue arises from how Node.js handles stack space exhaustion, particularly when using async_hooks—a powerful low-level API that tracks the lifecycle of asynchronous resources like database connections and timers. According to Node.js developers Matteo Collina and Joyee Cheung, a bug that appears exclusively when async_hooks is in use could prevent Node.js from handling errors effectively. Instead, in cases of stack overflow due to deep recursion in user code, the system would crash and exit with error code 7, signifying an issue with the internal exception handler.
Impact on Node.js Frameworks and Tools
This vulnerability poses a risk to various frameworks and Application Performance Monitoring (APM) tools that leverage async_hooks. Well-known libraries and tools affected by this flaw include React Server Components, Next.js, Datadog, New Relic, Dynatrace, Elastic APM, and OpenTelemetry. The problematic component is AsyncLocalStorage, built on the async_hooks infrastructure, which allows the tracking of data throughout asynchronous operations.
Versions Addressing the Vulnerability
Node.js has released updates to mitigate this vulnerability in the following versions:
- Node.js 20.20.0 (LTS)
- Node.js 22.22.0 (LTS)
- Node.js 24.13.0 (LTS)
- Node.js 25.3.0 (Current)
It’s important to note that every Node.js version from 8.x (the debut of async_hooks) to 18.x is affected. However, since versions 8.x have reached end-of-life status, they remain unpatched.
Details of the Fix
The recent patch involves detecting stack overflow conditions and re-throwing these errors to the user code, rather than treating them as fatal errors. This fix is cataloged under the CVE identifier CVE-2025-59466, with a CVSS score of 7.5, indicating its serious nature. Even with this impactful adjustment, Node.js considers the update a mitigation rather than a complete solution due to ongoing concerns.
In their rationale, Node.js expressed, “Although it is a bug fix for unspecified behavior, we chose to include it in the security release because of its widespread impact on the ecosystem.” This sentiment underscores the importance of improving developer experience and enhancing error handling predictably across affected applications.
Recommendations for Users and Developers
Given the critical nature of this vulnerability, it’s highly advised for users of these frameworks and server hosting providers to promptly update their systems to incorporate the latest fixes. Additionally, developers should ensure they implement more robust measures to handle potential stack space exhaustion effectively, thereby enhancing overall application reliability.
Other Recent Security Issues in Node.js
In conjunction with this significant vulnerability, Node.js also addressed three other critical security concerns (CVE-2025-55131, CVE-2025-55130, and CVE-2025-59465). These flaws carry the potential for data leakage, corruption, and remote denial-of-service attacks, highlighting the pressing need for developers continually to monitor and apply security patches.
This update signifies Node.js’s commitment to maintaining a reliable and secure environment for application development, further vital in today’s expanding digital landscape.
