Critical Node.js async_hooks DoS (CVE-2025-59466) — immediate actions for full‑stack teams
TL;DR — A high‑impact Node.js bug (CVE-2025-59466) causes unrecoverable process termination when a stack overflow occurs while async_hooks callbacks are active. Because AsyncLocalStorage / async_hooks are widely used by React Server Components, Next.js, and every major APM agent, many server‑side JavaScript apps are at risk of easy Denial‑of‑Service. Upgrade to the patched Node.js releases (published Jan 13, 2026) immediately and apply short‑term mitigations if you cannot patch right away. (nodejs.org)
What happened (short)
- When async_hooks (or AsyncLocalStorage built on it) is enabled, certain stack overflows (e.g., deep recursion that allocates promises) can bypass normal error handling and cause Node.js to exit immediately (exit code 7) instead of throwing a catchable RangeError. That makes crashes unrecoverable and trivially exploitable as a DoS. (nodejs.org)
Who this breaks
- Any production app instrumented with async_hooks or AsyncLocalStorage. In practice the most exposed groups are:
- React Server Components (RSC) and Next.js servers that use AsyncLocalStorage for request context.
- APM/instrumentation agents (Datadog, New Relic, Elastic APM, OpenTelemetry, etc.) that enable async_hooks tracing.
- Any server code that can be driven into deep recursion by external input. (nodejs.org)
Patched releases (what to upgrade to now)
- Node.js security updates containing the fix were released Jan 13, 2026 — upgrade to the matching patched versions for your release line. Examples listed in the advisory include patched builds in the 20.x, 22.x, 24.x and 25.x lines (see the official Node.js advisory for exact version numbers for your platform). Prioritize patching internet‑facing servers and CI runners that run server‑side rendering or instrumentation. (nodejs.org)
Immediate operational checklist (high‑impact, minimal friction)
- Patch first
- Deploy the Node.js security releases to staging and production as soon as possible. This is the recommended and lowest‑risk fix. (nodejs.org)
- If you cannot patch immediately
- Disable third‑party APM/instrumentation agents temporarily on public endpoints (they often enable async_hooks). Evaluate vendor advisories for patched agent versions. (nodejs.org)
- Add defensive input validation to endpoints that parse deeply nested data (limit recursion/JSON depth). Do not rely on the runtime to make stack overflows recoverable. (nodejs.org)
- Consider running vulnerable services under quick‑restart supervisors (systemd, k8s probes) only as a stopgap — this treats crashes but does not prevent exploitation. Use this only while you patch. (nodejs.org)
- For teams on Node.js 24+
- Node.js 24 reimplemented AsyncLocalStorage using V8’s AsyncContextFrame which reduces reliance on async_hooks callbacks; in many default 24+ deployments React/Next.js instances are not affected in the same way. However, patched 24.x releases were still shipped — upgrade regardless. (nodejs.org)
How to detect exposure fast
- Search your dependency tree and startup logs for usage of async_hooks or AsyncLocalStorage.
- Check for APM agents that enable tracing; these agents commonly call async_hooks.createHook().
- Monitor for unexplained process exits with exit code 7 and correlate with recent requests that contain deeply nested payloads. (nodejs.org)
Why this matters to full‑stack teams
- Server rendering and distributed tracing are core parts of modern full‑stack stacks. This bug shows that low‑level runtime internals (async context and hooks) can create systemic availability risks across many layers — framework, platform, and telemetry — and that runtime behavior should not be treated as a security boundary. Fixing the runtime is necessary, but teams must also harden app‑level input/recursion controls. (nodejs.org)
Quick action plan (one‑hour, one‑day, one‑week)
- One hour: Inventory services using AsyncLocalStorage or APM agents; add monitoring for exit code 7. (nodejs.org)
- One day: Deploy patched Node.js builds to staging; coordinate vendor agent updates; restrict or disable agents on public endpoints if needed. (nodejs.org)
- One week: Roll the patched Node.js into production, validate application behavior under load, and add input/recursion limits to request parsing paths. Document the incident and update runbooks. (nodejs.org)
Closing note
- This is a practical, ecosystem‑wide availability issue (not an RCE). The Node.js project released fixes and guidance; full‑stack teams must treat this as an operational emergency for server‑side rendering and instrumented production services: inventory, patch, and mitigate input‑driven recursion immediately. (nodejs.org)
Source: Node.js official advisory — Mitigating Denial‑of‑Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users. (nodejs.org)
Link:
Source
Read Next
Chrome 143 changes FedCM: structured ID assertions, stricter client metadata, and breaking API updates
January 31, 2026Chrome 143 (published Jan 12, 2026) changes the FedCM identity flow: ID assertion tokens can be structured JSON, client_metadata validation is enforced, and several API fields move/rename — migration required before Chrome 145.
Undici CVE-2026-22036: unbounded decompression chain allows resource exhaustion — patches released
January 30, 2026A Jan 14, 2026 security advisory for undici (the Node.js HTTP client) describes an unbounded decompression-chain vulnerability that can lead to high CPU and memory usage. Full‑stack teams must find and upgrade affected undici versions and add lightweight runtime protections.
React Router / Remix Patch CSRF Vulnerability in Server Actions (CVE-2026-22030)
January 29, 2026React Router and @remix-run/server-runtime patched a medium-severity CSRF issue affecting server-side action handlers and unstable React Server Actions — what full‑stack teams must check and patch now.