If you run production workloads on Node.js, this is one of those updates you should not postpone. A newly disclosed vulnerability shows how a subtle flaw deep inside Node's async handling can crash entire servers with nothing more than carefully triggered recursion.

What makes this issue especially concerning is not just its technical nature, but how widespread its impact is across modern Node.js applications. In fact, the Node.js team themselves described it as affecting "virtually every production Node.js app."

Let's break down what happened, why it matters, and what you should do next.

When Stack Overflows Stop Being Recoverable

Node.js is designed to be resilient. Under normal circumstances, when JavaScript code runs out of stack space, Node (and the underlying V8 engine) attempts a graceful recovery. Instead of terminating the process, it throws a catchable error that frameworks and applications can handle safely.

That safety net breaks down when async_hooks are involved.

According to Node.js maintainers Matteo Collina and Joyee Cheung, a bug causes Node.js to exit immediately with exit code 7 when a stack overflow occurs during recursive execution — but only if async_hooks is enabled. Crucially, no catchable error is thrown. The process simply dies.

This behavior turns what would normally be a handled runtime error into a denial-of-service condition.

Why async_hooks Makes This Worse

The async_hooks API is a low-level mechanism used to track the lifecycle of asynchronous operations such as HTTP requests, database calls, and timers. On its own, that sounds fairly niche.

In practice, however, async_hooks sits underneath AsyncLocalStorage, a widely used feature that allows data to persist across async boundaries. That makes it foundational to modern frameworks and observability tools.

Because of this, the vulnerability ripples through much of the Node.js ecosystem, including:

In short, if your app relies on request context tracking, performance monitoring, or server-side React features, it is very likely affected.

How Attackers Can Exploit This

The real danger appears when recursion depth is influenced by user input.

If an attacker can supply data that forces deep or unbounded recursion, and async_hooks is active, the application can be crashed outright. No exception handlers, no recovery logic, no graceful shutdown — just a terminated Node process.

That makes this flaw especially attractive for denial-of-service attacks.

Affected Versions and Patch Status

The issue has been fixed in the following releases:

Unfortunately, all Node.js versions from 8.x through 18.x are also affected — and those versions will not receive patches because they have already reached end-of-life. Node.js 8.0.0 alone dates back to May 2017, highlighting just how long this behavior has existed unnoticed.

What the Fix Actually Does

Rather than treating stack overflows as fatal when async_hooks is enabled, the patch detects the condition and rethrows the error back into userland code. This restores predictable behavior and allows applications to handle the error properly.

The vulnerability is tracked as CVE-2025-59466, with a CVSS score of 7.5.

Interestingly, Node.js considers this change a mitigation rather than a full security fix. The reasons include:

Despite that, Node.js chose to include the fix in a security release due to its massive ecosystem impact.

Why This Matters Beyond One Bug

This incident highlights how fragile modern server stacks can be when low-level assumptions break. A behavior that frameworks quietly relied on for years suddenly becomes a reliability risk once async context tracking enters the picture.

For developers, it also reinforces an old lesson: never trust unbounded recursion, especially when user input controls execution depth.

What You Should Do Now

If you run Node.js in production:

Library and framework maintainers are also being urged to harden their code against stack exhaustion scenarios to prevent similar failures in the future.

More Fixes Released Alongside This Patch

This disclosure arrived alongside fixes for three other high-severity Node.js vulnerabilities:

Taken together, this release is a strong reminder that keeping your runtime up to date is not optional — it is a fundamental part of keeping services stable and secure.

If you rely on Node.js for critical workloads, this is one update worth prioritising today, not later.