top of page
perceptive_background_267k.jpg

Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow

Published:

14 January 2026 at 07:05:00

Alert date:

14 January 2026 at 09:00:58

Source:

thehackernews.com

Click to open the original link from this advisory

Web Technologies, Supply Chain & Dependencies

Node.js released critical security updates to fix a vulnerability affecting virtually every production Node.js application. The issue involves the async_hooks feature causing stack overflow conditions that can trigger denial-of-service attacks. The vulnerability exploits Node.js/V8's stack space exhaustion recovery mechanism that frameworks rely on for service availability. This represents a critical threat to Node.js-based production environments due to its widespread impact potential.

Technical details

The vulnerability occurs when Node.js exits with code 7 (Internal Exception Handler Run-Time Failure) instead of gracefully handling exceptions when a stack overflow occurs in user code while async_hooks is enabled. The issue affects applications whose recursion depth is controlled by unsanitized input, making them vulnerable to DoS attacks. The bug prevents Node.js from recovering from stack space exhaustion with a catchable error when async_hooks are used. The fix detects stack overflow errors and re-throws them to user code instead of treating them as fatal.

Mitigation steps:

Update to patched Node.js versions: 20.20.0 (LTS), 22.22.0 (LTS), 24.13.0 (LTS), or 25.3.0 (Current)
Users of affected frameworks/tools and server hosting providers should update as soon as possible
Maintainers of libraries and frameworks should apply more robust defenses to counter stack space exhaustion
Ensure service availability through proper error handling mechanisms

Affected products:

Node.js 8.x through 18.x (unpatched
end-of-life)
React Server Components
Next.js
Datadog APM
New Relic APM
Dynatrace APM
Elastic APM
OpenTelemetry

Related links:

https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks
https://nodejs.org/api/process.html#exit-codes
https://en.wikipedia.org/wiki/Exception_handling
https://nodejs.org/api/async_hooks.html
https://nodejs.org/api/async_context.html
https://github.com/nodejs/node/releases/tag/v25.3.0
https://github.com/nodejs/node/commit/ddadc31f09
https://tc39.es/ecma262/#execution-context-stack
https://issues.chromium.org/issues/432385241
https://nodejs.org/api/async_hooks.html#error-handling
https://nodejs.org/api/process.html#warning-using-uncaughtexception-correctly
https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Related CVE's:

Related threat actors:

IOC's:

Node.js process exit code 7 (Internal Exception Handler Run-Time Failure), Stack overflow conditions in applications using async_hooks, Recursion attacks on unsanitized input when AsyncLocalStorage is used

This article was created with the assistance of AI technology by Perceptive.

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page