Trending:
Cybersecurity

Node.js async_hooks bug crashed Next.js apps silently - patch released January 2026

A Node.js vulnerability (CVE-2025-59466) caused production servers to exit with code 7 when deep recursion hit AsyncLocalStorage. No error logs, no catchable exceptions. React Server Components, Next.js, and every major APM tool were affected. The fix landed in Node.js 20.18.2+, 22.13.2+, 24.0.2+, and 25.3.0+.

The Biggish Editorial ·
Node.js async_hooks bug crashed Next.js apps silently - patch released January 2026 Photo by Minseok Kwak on Unsplash

The Problem

A critical Node.js vulnerability crashed production servers silently when deep recursion met async_hooks. Exit code 7, no logs, no catchable exceptions. Your error handlers were useless.

This wasn't theoretical. React Server Components, Next.js applications, and every major APM tool (Datadog, New Relic, Dynatrace, Elastic APM, OpenTelemetry) were vulnerable. If your stack used AsyncLocalStorage, you were exposed.

What Happened

When code hit maximum recursion depth while async_hooks was active, Node.js exited instead of throwing a catchable error. Process monitoring showed servers disappearing. Try-catch blocks failed. Uncaught exception handlers never fired.

The trigger: processing deeply nested user input (malicious JSON, recursive data structures) while AsyncLocalStorage was tracking async operations. One bad payload could take down your server.

The Timeline

Meta and Vercel teams reported mysterious crashes in early December 2025. Node.js maintainers filed CVE-2025-59466 on December 8. Multiple patch attempts failed before a working fix landed December 17. Patched versions released January 13, 2026.

The fix altered async_hooks internals to prevent fatal crashes. Noor Mohammad's technical breakdown (January 19) gained traction on developer forums, confirming the production impact.

What This Means

APAC firms running Node.js stacks for scalable web applications need to upgrade immediately. The vulnerability bypassed standard error handling, making it invisible to monitoring until servers crashed.

Patched versions: Node.js 20.18.2+, 22.13.2+, 24.0.2+, 25.3.0+. Check your version now.

The Real Fix

Upgrading Node.js is mandatory, but don't rely on stack overflow error handling for availability. Validate input depth before processing. Add hard limits on recursion. A malicious user shouldn't control how deep your code goes.

This is the third async_hooks-related production issue in 18 months. The pattern is clear: async context tracking is powerful but fragile. Test recursive code paths under AsyncLocalStorage contexts. Add depth checks to anything processing user-controlled nested data.

The bug is fixed. The lesson remains: silent failures in production are the worst kind.

Tags:
apac security production nodejs nextjs

Related Articles