Cybersecurity

Update: Critical Node.js Vulnerability Can Cause Server Crashes Via...

2026-01-14 0 views admin
Update: Critical Node.js Vulnerability Can Cause Server Crashes Via...

Node.js has released updates to fix what it described as a critical security issue impacting "virtually every production Node.js app" that, if successfully exploited, could trigger a denial-of-service (DoS) condition.

"Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability," Node.js's Matteo Collina and Joyee Cheung said in a Tuesday bulletin.

"A bug that only reproduces when async_hooks are used would break this attempt, causing Node.js to exit with 7 directly without throwing a catchable error when recursions in user code exhaust the stack space. This makes applications whose recursion depth is controlled by unsanitized input vulnerable to denial-of-service attacks."

At its core, the shortcoming stems from the fact that Node.js exits with code 7 (denoting an Internal Exception Handler Run-Time Failure) instead of gracefully handling the exception when a stack overflow occurs in user code while async_hooks is enabled. Async_hooks is a low-level Node.js API that allows developers to track the lifecycle of asynchronous resources, such as database queries, timers, or HTTP requests.

The issue, Node.js said, impacts several frameworks and Application Performance Monitoring (APM) tools, including React Server Components, Next.js, Datadog, New Relic, Dynatrace, Elastic APM, and OpenTelemetry, owing to the use of AsyncLocalStorage, a component built atop the async_hooks module that makes it possible to store data throughout the lifetime of an asynchronous operation.

The problem also impacts all Node.js versions from 8.x, which was the first version with async_hooks, to 18.x. It's worth noting that Node.js version 8.0.0, codenamed Carbon, was released on May 30, 2017. However, these versions remain unpatched as they have reached end-of-life (EoL) status.

The fix put in place detects stack overflow errors and re-throws them to user code instead of treating them as fatal. This is being tracked under the CVE identifier CVE-2025-59466 (CVSS score: 7.5). Despite the significant practical impact, Node.js said it's treating the fix as only a mitigation owing to a couple of reasons -

"Although it is a bug fix for an unspecified behavior, we chose to include it in the security release because of its widespread impact on the ecosystem," Node.js said. "React Server Components, Next.js, and virtually every APM tool are affected. The fix improves developer exper

Source: The Hacker News

🏷️ Tags

securityvulnerabilitycveattackexploit

More from Cybersecurity

Latest: Microsoft Updates Windows Dll That Triggered Security Alerts

Latest: Microsoft Updates Windows Dll That Triggered Security Alerts

2026-01-14 0
Update: Critical AI Agents Are Becoming Privilege Escalation Paths

Update: Critical AI Agents Are Becoming Privilege Escalation Paths

2026-01-14 0
Complete Guide to Consentfix Debrief: Insights From The New Oauth Phishing Attack

Complete Guide to Consentfix Debrief: Insights From The New Oauth Phishing Attack

2026-01-14 0
Essential Guide: Hackers Exploit C-ares Dll Side-loading To Bypass Security And...

Essential Guide: Hackers Exploit C-ares Dll Side-loading To Bypass Security And...

2026-01-14 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views