Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

The Node.js Blog offers developers insights into Node.js runtime, JavaScript ecosystem, and server-side development. Developers can learn about asynchronous programming, event-driven architecture, and building scalable web applications with Node.js, as well as explore updates, releases, and best practices from the Node.js community.

Node.js

Node.js released a security patch for a denial-of-service vulnerability affecting applications using async_hooks (including React Server Components, Next.js, and all APM tools). When async_hooks is enabled, stack overflow from deep recursion causes immediate process termination with exit code 7 instead of throwing a catchable RangeError. The bug occurs because V8's promise hooks run synchronously on the same call stack as user code, and stack overflow errors are caught by Node.js's fatal error handler. The fix detects stack overflow and re-throws to user code. While patched in versions 20.20.0+, 22.22.0+, 24.13.0+, and 25.3.0+, developers are warned not to rely on recoverable stack overflow for security, as it's unspecified behavior.

Node.js — Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users

Why This Is Only a Mitigation, and The Vulnerability Lies Elsewhere

A Brief History: From async_hooks to AsyncContextFrame