High

Uncatchable stack overflow DoS in Node.js async_hooks

IdentifiersCVE-2025-59466CWE-755

CVE-2025-59466 is a Node.js error-handling flaw in which "Maximum call stack size exceeded" exceptions become uncatchable when async_hooks.createHook() is enabled. Under affected conditions, a stack exhaustion caused by deep recursion is not propagated through normal exception handling and does not reach process.on('uncaughtException'); instead, the Node.js process can terminate directly with exit code 7. The issue also affects applications using AsyncLocalStorage, which is built on async_hooks. This turns what would normally be a catchable stack overflow condition into an unrecoverable crash path. Reported affected release lines include Node.js 20.x, 22.x, 24.x, and 25.x, with ecosystem exposure extending to frameworks and observability tooling that rely on AsyncLocalStorage or async_hooks.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes denial of service by forcing the Node.js process to terminate unrecoverably, bypassing application-level error handlers intended to catch or manage stack overflow conditions. In practice, this can take down production services when attacker-influenced input can drive deep recursion or otherwise exhaust stack space. Because AsyncLocalStorage and async_hooks are widely used by frameworks and APM/observability agents, the blast radius can include a broad set of applications even when developers did not directly enable low-level async_hooks APIs.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by avoiding or minimizing use of async_hooks.createHook() and, where feasible, AsyncLocalStorage on affected versions. Add strict recursion guards and input validation to prevent attacker-influenced deep recursion or stack exhaustion. Use external supervision and automatic restart mechanisms such as systemd, containers, or orchestration platforms to limit downtime from crashes. These measures only reduce operational impact and do not remove the underlying flaw.

Remediation

Patch, then assume compromise.

Upgrade Node.js to a patched release. The provided content identifies fixes in Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0. The fix detects stack overflow errors in the affected path and re-throws them to user code instead of treating them as fatal. End-of-life branches are described as remaining unpatched upstream; deployments on those versions should migrate to a supported release line.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

NodejsNodejsapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

16 SOURCESView more in app

the hacker newsNews

Jan 19, 2026

⚡ Weekly Recap: Fortinet Exploits, RedLine Clipjack, NTLM Crack, Copilot Attack & More

Unknown

the hacker newsNews

Jan 14, 2026

Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow

A Node.js/V8 stack exhaustion handling flaw when async_hooks (via AsyncLocalStorage) is enabled, causing Node.js to terminate with exit code 7 instead of throwing a catchable error, enabling denial-of-service when recursion depth is influenced by unsanitized input.

cyber security newsNews

Jan 13, 2026

Node.js Security Release Patches 7 Vulnerabilities Across All Release Lines

Medium-severity denial-of-service condition in Node.js where async_hooks can make stack overflow errors uncatchable, bypassing error handlers.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-59466

NVD

nvd.nist.gov/vuln/detail/CVE-2025-59466

MITRE CWE · CWE-755

cwe.mitre.org

Vendor Advisory

nodejs.org/en/blog/vulnerability/december-2025-security-releases