Executive Summary

A critical vulnerability, CVE-2025-59466, has been discovered in Node.js, specifically within the async_hooks module and its implementation in AsyncLocalStorage. This flaw enables remote attackers to crash Node.js servers by inducing an unrecoverable stack overflow, resulting in a Denial-of-Service (DoS) condition. The vulnerability is particularly severe for applications leveraging React Server Components, Next.js, and leading Application Performance Monitoring (APM) tools, as these frameworks and tools depend on AsyncLocalStorage (which, in Node.js versions prior to 24, is built atop async_hooks). The attack is trivial to execute and can be triggered by sending deeply nested input, such as a JSON payload, to a vulnerable endpoint. Immediate remediation is strongly advised for all organizations running affected versions of Node.js.

Technical Information

The vulnerability, tracked as CVE-2025-59466, resides in the async_hooks module of Node.js. When async_hooks is enabled—either directly or indirectly via AsyncLocalStorage—a stack overflow in user code causes the Node.js process to terminate immediately with exit code 7. This termination bypasses all conventional error handling mechanisms, including try-catch blocks and process.on('uncaughtException') handlers, rendering the error uncatchable and the process unrecoverable.

The technical root cause lies in the way Node.js handles stack overflows during async_hooks callbacks. Specifically, when a stack overflow occurs within an async_hooks callback (such as during recursive Promise creation), the runtime invokes TryCatchScope::kFatal, which treats the error as fatal and terminates the process without propagating the error to userland code. This behavior is especially problematic in modern web applications, where AsyncLocalStorage is widely used for context propagation in frameworks like React and Next.js, as well as in APM solutions such as Datadog, New Relic, Dynatrace, Elastic APM, and OpenTelemetry.

A typical exploit scenario involves an attacker submitting a JSON payload with extreme nesting (e.g., an array nested 50,000 levels deep) to an API endpoint. If the endpoint processes this input recursively and async_hooks is enabled, the stack overflow will crash the server process. In contrast, if async_hooks is not enabled, the error can be caught and handled gracefully.

The vulnerability affects a broad ecosystem, including but not limited to:

React Server Components (React 18+), which use AsyncLocalStorage for context tracking;Next.js, which relies on AsyncLocalStorage for managing request context, cookies, and headers; APM tools such as Datadog, New Relic, Dynatrace, Elastic APM, and OpenTelemetry, all of which utilize async_hooks or AsyncLocalStorage for tracing and instrumentation.

The issue was discovered by Andrew MacPherson (Next.js/React) and reported via Vercel Security. The fix, implemented in patched versions of Node.js, detects stack overflow errors and rethrows them to user code, allowing standard error handling mechanisms to function as intended. Additionally, in Node.js 24 and later, AsyncLocalStorage was reimplemented using V8's AsyncContextFrame, eliminating reliance on async_hooks.createHook() and thus mitigating the vulnerability.

Exploitation in the Wild

As of the time of this report, there are no confirmed public reports of active exploitation of CVE-2025-59466. However, the vulnerability is considered trivial to exploit and poses a significant risk due to the ubiquity of affected frameworks and tools. Proof-of-concept (PoC) code is available in the official Node.js advisory and has been referenced in private security reports, such as HackerOne report #3456295. The primary attack vector is remote, typically via HTTP POST requests containing deeply nested JSON or other recursive data structures. Security researchers and vendors have demonstrated the exploitability of this flaw, and opportunistic threat actors are likely to adopt it rapidly if systems remain unpatched.

APT Groups using this vulnerability

There are currently no known Advanced Persistent Threat (APT) groups publicly attributed to the exploitation of CVE-2025-59466. The vulnerability aligns with tactics commonly used in opportunistic Denial-of-Service (DoS) attacks rather than targeted, persistent campaigns. The MITRE ATT&CK framework maps this vulnerability to T1499: Endpoint Denial of Service, specifically under the resource exhaustion (stack overflow) technique. While no APT activity has been observed, the ease of exploitation and the potential for widespread disruption make this vulnerability a high-priority concern for all organizations, regardless of sector.

Affected Product Versions

The following Node.js versions are affected by CVE-2025-59466:

Node.js 8.x through 18.x (End-of-Life, unpatched and unsupported),Node.js 20.x (patched in 20.20.0),Node.js 22.x (patched in 22.22.0),Node.js 24.x (patched in 24.13.0),Node.js 25.x (patched in 25.3.0).

Any application or service running an unpatched version within these release lines is vulnerable if it uses async_hooks or any dependency that leverages AsyncLocalStorage. This includes, but is not limited to, applications built with React Server Components, Next.js, and those instrumented with APM tools such as Datadog, New Relic, Dynatrace, Elastic APM, and OpenTelemetry.

Workaround and Mitigation

The most effective mitigation is to upgrade Node.js to a patched version: 20.20.0, 22.22.0, 24.13.0, or 25.3.0. These releases contain the necessary fixes to handle stack overflows gracefully and prevent uncatchable process termination.

For organizations unable to upgrade immediately, several risk reduction strategies are recommended. First, review all code paths that process user input, especially those involving recursion or deep data structure traversal. Implement input validation to limit the maximum depth of nested data structures accepted from clients. Avoid deep recursion in application logic where possible, and consider iterative approaches for processing user data. Monitor application logs for Node.js process exits with code 7 and investigate any unusual POST requests containing deeply nested JSON payloads.

It is also advisable to review dependencies and third-party modules for indirect usage of AsyncLocalStorage or async_hooks, as these may introduce the vulnerability even if not explicitly used in your codebase.

References

• Node.js Official Advisory & Technical Deep Dive

• The Hacker News: Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow

• CyberPress: Node.js Security Release Patches 7 Vulnerabilities

• GBHackers: Node.js Security Release Fixes 7 Vulnerabilities

• NVD Entry for CVE-2025-59466

• Node.js Security Release Timeline

Rescana is here for you

At Rescana, we understand the critical importance of proactive risk management in today’s rapidly evolving threat landscape. Our Third-Party Risk Management (TPRM) platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their entire digital supply chain. By leveraging advanced automation and threat intelligence, Rescana helps you stay ahead of emerging vulnerabilities and maintain robust security postures. If you have any questions about this advisory or require further assistance, our cybersecurity experts are ready to help at ops@rescana.com.