Node.js has only recently deployed great big patches for three high-severity vulnerabilities. These Node.js vulnerabilities—CVE-2025-55131, CVE-2025-55130, and CVE-2025-59465—could lead to server crashes when the async_hooks module is being used. These vulnerabilities impact many widely used frameworks and APM solutions. This includes all the big ones, too—React Server Components, Next.js, Datadog, NewRelic, Dynatrace, Elastic APM, and OpenTelemetry.
The root cause is Node.js’s treatment of exceptions when there’s a stack overflow in user code. This issue manifests only when async_hooks gets enabled. When this occurs, Node.js crashes with exit code 7, which can be hugely detrimental to application uptime and performance.
The Role of async_hooks
The async_hooks module is very important in Node.js applications. It frees developers of the concern of inadvertently losing and restoring context during asynchronous operations. In particular, AsyncLocalStorage, a class built on top of async_hooks, is used to store data for the lifetime of an async task. Stack overflow. A bug can occur if you use async_hooks to handle stack overflows with async_hooks turned on. W3C Accessibility This issue bit applications very hard that are dependent on these features.
Matteo Collina and Joyee Cheung highlighted the critical nature of this issue:
“Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability.”
This overreliance makes Node.js frameworks and applications vulnerable. Or worse, they might suffer from unplanned downtime if they run into this bug while on the move.
Vulnerability Impact on Applications
These vulnerabilities represent a serious risk to applications in which the recursion depth can be affected by unsanitized user input.
This scenario underscores the danger real-world malicious actors would have had to disrupt services through exploitation of the vulnerability.
“A bug that only reproduces when async_hooks are used would break this attempt, causing Node.js to exit with 7 directly without throwing a catchable error when recursions in user code exhaust the stack space. This makes applications whose recursion depth is controlled by unsanitized input vulnerable to denial-of-service attacks.”
In response to these vulnerabilities, Node.js developers prioritized the release of fixes due to their widespread impact on the ecosystem.
Node.js Response
This decision is a powerful reminder of the significance of upholding application security and reliability amidst an ever-changing technological landscape.
A representative from Node.js stated:
“Although it is a bug fix for an unspecified behavior, we chose to include it in the security release because of its widespread impact on the ecosystem.”
This decision underscores the importance of maintaining application security and reliability in a rapidly evolving technological landscape.