On 1/13/26 06:58, Jan Schaumann wrote:
Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers (CVE-2025-59466) - (Medium)We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when async_hooks.createHook() is enabled. Instead of reaching process.on('uncaughtException'), the process terminates, making the crash unrecoverable. Applications that rely on AsyncLocalStorage (v22, v20) or async_hooks.createHook() (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
The node.js team has also published a much more in-depth discussion at: https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks with a shorter intro in the thread starting at: https://x.com/matteocollina/status/2011137343323865196 -- -Alan Coopersmith- [email protected] Oracle Solaris Engineering - https://blogs.oracle.com/solaris
