The Node.js project has released security patches addressing a denial-of-service vulnerability that causes applications to crash when processing deeply nested data. The issue affects React Server Components, Next.js, and all major application performance monitoring tools.
The issue was reported by the React and Next.js teams in December 2025, and fixes were released across supported Node.js versions as part of the January 2026 security update.
When a specific Node.js debugging feature called async_hooks is enabled, stack overflow errors cause applications to terminate immediately instead of being caught by error handlers. This creates an attack vector where malicious users can send deeply nested data structures to crash servers.
The issue is particularly significant because async_hooks are enabled automatically by widely-used frameworks and tools. React Server Components use it for rendering context, Next.js uses it for request tracking, and every major APM tool including Datadog, New Relic, Dynatrace, Elastic APM, and OpenTelemetry relies on it for request tracing.
Applications become vulnerable the moment developers install monitoring tools or use modern React features, often without realizing async_hooks are active.
Node.js wraps async_hooks callbacks in a fatal error handler designed to terminate immediately if monitoring code throws errors. The bug occurs because promise hooks run on the same call stack as user code. When deeply recursive code creates promises, stack overflow errors manifest while hook callbacks are active, triggering the fatal handler instead of normal error handling.
The patches detect stack overflow errors specifically and re-throw them to user code, restoring normal error handling behavior.
Security updates are available for all supported Node.js releases:
- Node.js 25.3.0 (Current)
- Node.js 24.13.0 (LTS)
- Node.js 22.22.0 (LTS)
- Node.js 20.20.0 (LTS)
Node.js versions 8.x through 18.x are affected but have reached end-of-life and will not receive patches.
Node.js 24 and later versions are partially protected because AsyncLocalStorage was reimplemented using V8’s AsyncContextFrame feature instead of async_hooks. React and Next.js applications are not affected on these versions, though APM tools using async_hooks directly remain vulnerable.
Node.js developers emphasized the fix is a mitigation rather than a complete security solution. Stack overflow handling is not part of the ECMAScript specification and is implemented on a best-effort basis. The project included this in a security release due to widespread ecosystem impact affecting React, Next.js, and production monitoring infrastructure.
Organizations should update immediately and implement input validation for nested data structures and recursion depth limits for code processing untrusted input.
Visit the Node.js blog for more information and technical details here.
Leave a Reply