On January 13, 2026, Node.js released information about a denial-of-service (DoS) vulnerability that affects applications that use async_hooks or AsyncLocalStorage. This vulnerability is tracked as CVE-2025-59466 and can cause Node.js processes to exit unexpectedly when certain stack overflow conditions occur while async_hooks are enabled.
Because Datadog APM’s Node.js dd-trace-js tracer uses AsyncLocalStorage to trace requests, this issue is relevant to APM customers who use affected Node.js versions (8.x through 23.x). This vulnerability is not specific to Datadog APM’s Node.js dd-trace-js tracer, and we have validated the tracer against patched Node.js versions.
This post will walk you through a summary of the vulnerability and how to remediate it.
Summary of the vulnerability
In affected Node.js versions, if a stack overflow occurs in user code while async_hooks are active, Node.js may immediately terminate the process instead of throwing a catchable RangeError. This behavior bypasses standard error handlers, making the failure unrecoverable and enabling DoS attacks.
Because AsyncLocalStorage is built on top of async_hooks, this issue can surface in applications and frameworks that rely on request context, including React Server Components (React 18 or later), Next.js, and application performance monitoring tooling. For customers running vulnerable Node.js versions, applications may be susceptible to process crashes if unsanitized user input can trigger excessive recursion.
Remediation and next steps
We recommend upgrading to one of the following patched Node.js versions released on January 13, 2026:
- Node.js 25.3.0 (Current)
- Node.js 24.13.0 (LTS)
- Node.js 22.22.0 (LTS)
- Node.js 20.20.0 (LTS)
For specific details about the vulnerability and remediation steps, see Datadog’s Security Research Feed.
Closing
We will continue to monitor advisories closely and validate Datadog’s tracer compatibility with patched releases. Customers who have questions about their specific configuration or upgrade path are encouraged to contact Datadog Support.
Acknowledgments
Thank you to Kennedy Toomey, Ryan Simon, and Eslam Salem, all of whom contributed to the making of this post.
