Node.js patched a crash bug where AsyncLocalStorage could cause stack overflows to bypass error handlers and terminate production servers.
Published:
14 January 2026 at 17:24:43
Alert date:
14 January 2026 at 19:01:05
Source:
socket.dev
Web Technologies, Supply Chain & Dependencies
Node.js patched a critical bug where AsyncLocalStorage could cause stack overflows to bypass error handlers and terminate production servers with exit code 7. The issue affected virtually every production Node.js app using async context tracking, including React Server Components, Next.js, and APM tools. Stack overflow errors would crash the entire server process instead of returning catchable RangeErrors. The fix was included in security releases for Node.js versions 20.20.0, 22.22.0, 24.13.0, and 25.3.0, though Node.js 24+ were less affected due to reimplemented AsyncLocalStorage.
Technical details
Mitigation steps:
Affected products:
Node.js
React Server Components
Next.js
AsyncLocalStorage
Related links:
https://socket.dev/blog/node-js-fixes-asynclocalstorage-crash-bug-that-could-take-down-production-servers?utm_medium=feed
https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks
https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.