Tech Bytes Logo Tech Bytes
Archive 2026-02-10

Node.js Alert: Mitigating Stack Space DoS for React & Next.js

Author

Dillip Chowdary

Get Technical Alerts 🚀

Join 50,000+ developers getting daily technical insights.

Founder & AI Researcher

The Node.js project has released a critical advisory regarding a Denial-of-Service (DoS) vulnerability stemming from "Unrecoverable Stack Space Exhaustion." This issue specifically impacts applications using async_hooks, including many popular frameworks and monitoring tools.

The Vulnerability

The core of the issue lies in how Node.js handles stack space when multiple async_hooks are active. An attacker can trigger a deeply nested asynchronous chain that exceeds the available stack space, leading to a process crash that cannot be caught by standard error handlers.

Who is Affected?

While the vulnerability is in the Node.js core, the following users are at high risk:

  • React & Next.js Users: Applications using React Server Components (RSC) and streaming frequently utilize internal mechanisms that rely on async context.
  • APM Users: If you use monitoring tools like New Relic, Datadog, or Sentry, these libraries use async_hooks to track transaction context across your app.
  • Heavy Middleware Users: Express or Fastify apps with deep middleware stacks and complex async logic.

Affected Versions:

  • Node.js 25.x (prior to 25.4.0)
  • Node.js 24.x (all versions)
  • Node.js 22.x (LTS - check for recent patches)
  • Node.js 20.x (LTS - check for recent patches)

Mitigation Steps

1. Upgrade to Node.js 25.4.0+

The primary fix is to upgrade to the latest stable release. Node.js 25.4.0 includes architectural changes to how async context is stored, reducing the stack footprint of nested calls.

2. Update Your APM Agents

Most major APM providers have already released updates that use the newer AsyncLocalStorage API more efficiently to avoid triggering this stack limit.

3. Increase Stack Size (Temporary workaround)

If you cannot upgrade immediately, you can increase the default stack size for your Node.js process using the --stack-size flag:

node --stack-size=2000 server.js

The "HackerOne" Connection

Coinciding with this advisory, Node.js also announced new requirements for vulnerability reports on HackerOne. To reduce noise and focus on critical issues like this DoS, reporters must now demonstrate a "Signal" score before submitting new Node.js core bugs.

Conclusion

In the era of 2026 web development, where "Server-Side Everything" is the trend, the reliability of the underlying Node.js runtime is paramount. This stack exhaustion bug highlights the complexity of modern async architectures.

Action required: Audit your Node.js versions today and prioritize the upgrade to 25.4.0.

Logo Tech Bytes

Empowering developers and tech enthusiasts with data-driven insights.

© 2026 Tech Bytes. All rights reserved.