Critical Node.js Vulnerability Causes Server Crashes via async_hooks (CVE-2025-59466)

Node.js has put out some very necessary security updates to fix a top-priority bug that could bring about the downfall of just about all production Node.js applications. This weakness enables hijackers to create a DoS condition by taking advantage of the way Node.js treats stack overflow errors when the async_hooks API is turned on and the server is down. 

As per the words of twee Node.js maintainers Matteo Collina and Joyee Cheung, the problem has put an end to a recovery mechanism which was in existence and depended upon by a number of frameworks to keep services running. 

“Node.js and V8 make a best-effort attempt to recover from stack space exhaustion with a catchable error. A bug triggered when async_hooks are used breaks this behavior, causing Node.js to exit immediately with code 7 instead of throwing a recoverable exception.” 

This whole situation makes it possible for applications to go down when the depth of recursion is determined by user input that is either not properly sanitized or controlled by the attacker.

What Is the Root Cause of the Vulnerability?

• In typical situations, Node.js will try to recover smoothly by throwing a catchable exception when a stack overflow happens. But if async_hooks is turned on, this method will not work properly. 
• Node.js does not throw an exception that applications can manage. Instead, it kills the process immediately with exit code 7, which means that there has been an Internal Exception Handler Runtime Failure. This leads to a total service downtime. 
• The flaw becomes even more critical in cases where the applications: 
• Employ recursion 
• Handle input controlled by users 
• Depend on async context tracking

Why async_hooks Makes This Vulnerability Dangerous

async_hooks es un API de bajo nivel de Node.js que se utiliza para el seguimiento de los recursos asíncronos como:

• Llamadas de red
• Accesos a bases de datos
• Contadores
• Trabajos en segundo plano

Un gran número de modern frameworks and monitoring tools depend on AsyncLocalStorage which is built on top of async_hooks. The usage of AsyncLocalStorage allows the developers to make the context data persist over the asynchronous operations. 

Due to this dependency, the vulnerability has a wide reaching effect on the Node.js ecosystem.

Affected Frameworks and APM Tools

The group responsible for Node.js security confirmed that among the most popular frameworks and monitoring solutions, the following are included as affected:

• React Server Components
• Next.js
• Datadog
• New Relic
• Dynatrace
• Elastic APM
• OpenTelemetry

In case AsyncLocalStorage is used directly or indirectly by an application it would be vulnerable.

Affected and Patched Node.js Versions

The flaw affects all versions of Node.js ranging from 8.x to 18.x, as the async_hooks feature was introduced in the 8.x version. Sadly, these versions have reached their end-of-life (EoL) and hence, will not be getting any security updates.

Fixed Versions (Upgrade Recommended)

Users are required to upgrade without delay to one of the releases that have been patched as follows:

• Node.js 20.20.0 (LTS)
• Node.js 22.22.0 (LTS)
• Node.js 24.13.0 (LTS)
• Node.js 25.3.0 (Current)

CVE Details and Security Impact

• CVE ID: CVE-2025-59466
• CVSS Score: 7.5 (High)

The resolution modifies the way Node.js manages the problem of stack overflow by recognizing the condition of stack being exhausted and then passing the error to the user code instead of killing the process.

Node.js, however, categorizes the fix as a mitigation rather than a complete security solution because of the following reasons:

Stack exhaustion has not been included in the ECMAScript specification

V8 does not consider stack overflow as a security problem

The uncaughtException handler, which is designed only as a last-resort mechanism, has its limitations

Additional High-Severity Node.js Fixes Released

In addition to that problem, Node.js repaired three more vulnerabilities that had high severity:

• CVE-2025-55131: Possible data loss or publication
• CVE-2025-55130: Accessing confidential documents through specially made relative symlink paths
• CVE-2025-59465: Vulnerability to denial-of-service attacks from a remote location

These patches serve as a reminder to always keep Node.js environments fully updated.

Recommendations for Developers and Organizations

Due to the importance of the matter and the effect on the whole ecosystem, Node.js users are highly recommended to:

• Upgrade right away to one of the patched Node.js versions
• Check and clean user-controlled inputs for recursion
• Put up barriers to deep or infinite recursion
• Look for application crashes and unexpected quits

The framework developers are to fortify their protection against the exhaustion of stack space.

Final Thoughts

The aforementioned vulnerability sheds light on the high level of interconnection within the current Node.js ecosystem. The problem has already occurred in the real world with Next.js being one of the major frameworks affected, and almost all APM tools also impacted in terms of probably and reliability.

On the one hand, the fix eliminates unpredictability and makes the developer’s experience smoother; on the other hand, it points to the inevitability of the adoption of proactive upgrades and investments in defensive coding practices as a part of the strategy to ensure the security and robustness of Node.js applications.