Primary

Context

Node.js Uncatchable Maximum Call Stack Size Exceeded Error via Async Hooks Leads to Process Crashes

Vulnerability

Patched

A bug in Node.js error handling has been identified, where 'Maximum call stack size exceeded' errors become uncatchable when 'async_hooks.createHook()' is enabled. Instead of the error being handled by 'process.on('uncaughtException')', the process terminates, causing an unrecoverable crash. This issue affects applications that use 'AsyncLocalStorage' in Node.js versions 20.x and 22.x, or 'async_hooks.createHook()' in versions 24.x, 22.x, and 20.x. The vulnerability can be exploited by triggering deep recursion under specific conditions, leading to denial-of-service crashes.

Impact

The vulnerability causes processes to crash, bypassing error handlers and creating unrecoverable termination.

Remediation

Users can update to Node.js versions 25.3.0, 24.13.0, 22.22.0, or 20.20.0, where this vulnerability has been fixed.

Added: Jan 20, 2026, 9:26 PM

Updated: Jan 20, 2026, 9:26 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.3

remediation

7.7

relevance

2.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.3

remediation

7.7

relevance

2.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Node.js Uncatchable Maximum Call Stack Size Exceeded Error via Async Hooks Leads to Process Crashes

Vulnerability

Impact

Remediation

Affected Products

Node.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating