A critical Node.js vulnerability, tracked as CVE-2025-59466, has been patched by the open-source JavaScript runtime environment. This security flaw, described as a denial-of-service (DoS) issue impacting nearly all production Node.js applications, could lead to unexpected application crashes if exploited by malicious actors. The update aims to restore predictable error handling and service availability across the affected ecosystem.
Node.js, a popular backend JavaScript runtime, has released urgent updates to address what it terms a critical security issue impacting a vast number of applications. This vulnerability, if exploited, could trigger a denial-of-service (DoS) condition, causing applications to become unavailable. The fix addresses a fundamental flaw in how Node.js handles stack exhaustion errors when specific asynchronous features are enabled, ensuring greater stability for developers and users alike.
Critical Node.js Vulnerability Addresses DoS Risk
The core of the issue, according to Node.js developers Matteo Collina and Joyee Cheung, lies in the runtime’s behavior when stack space exhaustion occurs. Normally, Node.js attempts to recover from such situations by throwing a catchable error, a mechanism that many frameworks rely on for maintaining service availability. However, a bug present when `async_hooks` is enabled disrupts this process. Instead of throwing a manageable error, Node.js exits with a non-recoverable error code (code 7) when user code triggers excessive recursion that exhausts stack space. This behavior leaves applications vulnerable to DoS attacks, particularly those where the recursion depth is influenced by unsanitized user input.
The `async_hooks` module is a low-level Node.js API designed to provide insights into the lifecycle of asynchronous resources. These resources include operations such as database queries, timers, and HTTP requests. Frameworks and Application Performance Monitoring (APM) tools that leverage components built on top of `async_hooks`, such as `AsyncLocalStorage`, are particularly susceptible. This includes widely used technologies like React Server Components, Next.js, and APM solutions from vendors like Datadog, New Relic, Dynatrace, Elastic APM, and those implementing OpenTelemetry.
Affected Node.js Versions and Patching
Node.js has released patches for several versions to mitigate this critical Node.js vulnerability:
- Node.js 20.20.0 (LTS)
- Node.js 22.22.0 (LTS)
- Node.js 24.13.0 (LTS)
- Node.js 25.3.0 (Current)
The vulnerability traces back to Node.js version 8.x, the initial release to feature `async_hooks`. All versions from 8.x up to 18.x are impacted. However, Node.js versions that have reached their end-of-life (EoL) status, including these older versions, will not receive patches. Users are strongly encouraged to upgrade to one of the supported, patched versions to protect themselves against potential attacks.
Mitigation and Broader Security Implications
The implemented fix for CVE-2025-59466, which has a CVSS score of 7.5, involves detecting stack overflow errors and re-throwing them to user code instead of allowing them to terminate the Node.js process fatally. Node.js has characterized this as a mitigation rather than a complete fix due to its nature as a bug fix for unspecified behavior. However, acknowledging the widespread impact on the ecosystem, including key frameworks and APM tools, prompted its inclusion in a security release.
The move aims to improve the developer experience by making error handling more predictable and ensuring service availability against this specific DoS vector. Node.js developers and maintainers of associated libraries and frameworks are urged to apply these updates promptly. Server hosting providers and users of affected frameworks and tools should prioritize updating their environments as soon as possible.
Beyond this critical Node.js vulnerability, Node.js also recently issued fixes for three other high-severity flaws. These include CVE-2025-55131, which could lead to data leakage or corruption; CVE-2025-55130, allowing sensitive files to be read via crafted symbolic link paths; and CVE-2025-59465, which could trigger a remote denial-of-service. The coordinated release of these patches highlights Node.js’s ongoing commitment to robust application security.
With the immediate security patches released, the focus now shifts to widespread adoption by the Node.js community. Developers and infrastructure managers must ensure their applications are running on the latest secure versions to prevent exploitation of CVE-2025-59466 and the other disclosed vulnerabilities. The continued vigilance of maintainers in addressing stack space exhaustion and similar issues will be crucial for maintaining the stability and security of the Node.js ecosystem moving forward.