By A critical Node.js vulnerability that lurked undetected for nine years is forcing emergency upgrades across the ecosystem. CVE-2025-59466, patched on January 13, 2026, affects virtually every production Node.js application using async_hooks or AsyncLocalStorage—including React Server Components, Next.js, and every major APM tool. A single malicious request can crash entire servers with no opportunity for recovery. The irony cuts deep: monitoring tools designed to improve reliability have become attack vectors.
When Error Handling Stops Working
The vulnerability breaks Node.js’s fundamental promise that errors are catchable. Normally, a stack overflow throws a “Maximum call stack size exceeded” error that your try/catch blocks can handle. But when async_hooks are enabled, Node.js exits immediately with code 7—an “Internal Exception Handler Run-Time Failure”—before throwing anything to user code.
Exit code 7 means the exception handler itself crashed. async_hooks tries to process the stack overflow, fails, and Node.js panic-exits. No try/catch. No uncaughtException handlers. No graceful degradation. The process dies instantly, dropping all in-flight requests.
According to the official Node.js security advisory, “When recursion in user code exhausts stack space, Node.js exits immediately with exit code 7 instead of throwing a recoverable error.”
Who’s Running Vulnerable Code
If you’re using any modern Node.js framework or observability tool, you’re affected. React Server Components rely on AsyncLocalStorage to track rendering context. Next.js uses it for request management. And every major APM tool—Datadog, New Relic, Dynatrace, Elastic APM, OpenTelemetry—depends on async_hooks to correlate operations into distributed traces.
APM tools need async context tracking to follow requests through your application: from HTTP request through middleware to database queries to external API calls and back. AsyncLocalStorage is the only reliable mechanism in Node.js for this, which is why security researchers report that this flaw could “crash virtually every production Node.js app.”
The affected versions span nearly the entire active Node.js ecosystem. Legacy versions (8.x through 18.x) remain unpatched and End-of-Life. Supported versions received patches: Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0.
How the Attack Works
Exploitation is trivial. Send a POST request with JSON nested 10,000 levels deep. The server recursively processes it, exhausts the stack during parsing, and crashes with exit code 7. All requests in flight are dropped.
GraphQL resolvers make even easier targets. Craft a query that references users who have posts written by authors who have posts, recursively, until the stack gives out. The Next.js server using AsyncLocalStorage for request context crashes instantly instead of returning a 500 error.
The attack requires no authentication and works with a single request. If an attacker controls recursion depth through unsanitized input, they control your uptime.
Patch Now, Validate Forever
The Node.js team released patches across all supported versions on January 13, 2026. The fix detects stack overflow errors before async_hooks processes them and re-throws them to user code, restoring normal error handling. Node.js 24 and later go further: AsyncLocalStorage was reimplemented using V8’s AsyncContextFrame, eliminating this entire class of bug.
Upgrading is not optional. This is a critical DoS vulnerability with trivial exploitation. If your Node.js version number doesn’t start with 20.20, 22.22, 24.13, or 25.3, you’re running vulnerable code.
But patching alone isn’t enough. The Node.js advisory warns that “stack overflow recovery is unspecified, best-effort behavior” and “should not be relied upon for service availability.” Translation: implement recursion depth limits in your application code. Validate and sanitize nested structures in user input. Test for deep recursion scenarios. Don’t assume the runtime will save you.
A Nine-Year Wake-Up Call
The bug existed since Node.js 8 in May 2017. For nine years, it hid in plain sight—obscure, mostly harmless, rarely triggered. What changed? Modern frameworks adopted AsyncLocalStorage as foundational infrastructure. React Server Components, Next.js, and APM tools turned an edge case into a widespread vulnerability.
This isn’t an isolated incident. The first half of 2026 has seen over 21,500 CVE disclosures, a 16-18% increase compared to 2024. January alone brought React Server Components RCE (CVE-2025-55182, CVSS 10.0), n8n workflow automation flaws (CVE-2025-68668, CVSS 9.9), and Microsoft’s 114-flaw Patch Tuesday including three zero-days.
The Node.js vulnerability reveals how architectural choices cascade through ecosystems. A low-level API quirk became critical when frameworks built on it. Monitoring tools meant to improve observability created a single point of failure. Legacy infrastructure is hiding more bugs like this.
Security vigilance isn’t optional in 2026. Check your Node.js version. Upgrade immediately. Add recursion limits to your code. The next nine-year-old bug might not wait for a patch.
