Skip to content

blog: add DoS mitigation post for async_hooks stack exhaustion#8542

Merged
mcollina merged 2 commits intomainfrom
blog/january-2026-dos-mitigation-async-hooks
Jan 13, 2026
Merged

blog: add DoS mitigation post for async_hooks stack exhaustion#8542
mcollina merged 2 commits intomainfrom
blog/january-2026-dos-mitigation-async-hooks

Conversation

@mcollina
Copy link
Member

@mcollina mcollina commented Jan 13, 2026

Summary

  • Add blog post explaining the vulnerability where stack overflow errors became uncatchable when async_hooks was enabled
  • Affects React Server Components, Next.js, and APM tools
  • Documents the fix included in Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0

Test plan

  • Build passes locally
  • Review content for accuracy
  • Verify all links work

@vercel
Copy link

vercel bot commented Jan 13, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
nodejs-org Ready Ready Preview Jan 13, 2026 5:05pm

@github-actions
Copy link
Contributor

github-actions bot commented Jan 13, 2026

👋 Codeowner Review Request

The following codeowners have been identified for the changed files:

Team reviewers: @nodejs/nodejs-website

Please review the changes when you have a chance. Thank you! 🙏

@codecov
Copy link

codecov bot commented Jan 13, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.01%. Comparing base (3dff177) to head (80db087).
⚠️ Report is 8 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8542      +/-   ##
==========================================
+ Coverage   75.00%   75.01%   +0.01%     
==========================================
  Files         103      103              
  Lines        9036     9036              
  Branches      311      311              
==========================================
+ Hits         6777     6778       +1     
+ Misses       2257     2256       -1     
  Partials        2        2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 13, 2026
edited
Loading

📦 Build Size Comparison

Summary

Metric Value
Old Total Size 3.74 MB
New Total Size 3.74 MB
Delta 326.00 B (+0.01%)

Changes

➕ Added Assets (1)
Name Size
.next/static/chunks/136e4ef93d7a1c9e.js 205.34 KB
➖ Removed Assets (1)
Name Size
.next/static/chunks/3c28d9721281dc72.js 205.02 KB

@mcollina mcollina marked this pull request as ready for review January 13, 2026 15:39
@mcollina mcollina requested a review from a team as a code owner January 13, 2026 15:39
Copilot AI review requested due to automatic review settings January 13, 2026 15:39
Copilot AI reviewed Jan 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a comprehensive blog post documenting a critical DoS vulnerability affecting Node.js applications that use async_hooks, including React Server Components, Next.js, and all major APM tools. The vulnerability caused stack overflow errors to become uncatchable when async_hooks was enabled, leading to immediate process crashes with exit code 7.

Changes:

  • Added detailed vulnerability disclosure blog post explaining the async_hooks stack exhaustion issue
  • Documents the fix included in Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0
  • Provides technical deep dive, code examples, timeline, and mitigation guidance

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@joyeecheung
Copy link
Member

joyeecheung commented Jan 13, 2026

I have some leftover suggestions from the original draft, I'll duplicate them here..

joyeecheung
joyeecheung reviewed Jan 13, 2026
View reviewed changes
@mcollina
Copy link
Member Author

mcollina commented Jan 13, 2026

@joyeecheung @marco-ippolito @RafaelGSS ping

@marco-ippolito
Copy link
Member

marco-ippolito commented Jan 13, 2026
edited
Loading

the new-post.md and npmrc file should be dropped

@mcollina @joyeecheung
blog: add DoS mitigation post for async_hooks stack exhaustion
e095ef6 
Add blog post explaining the vulnerability where stack overflow errors
became uncatchable when async_hooks was enabled, affecting React Server
Components, Next.js, and APM tools.

Co-Authored-By: Joyee Cheung <joyeec9h3@gmail.com>
@mcollina mcollina force-pushed the blog/january-2026-dos-mitigation-async-hooks branch from 0d18259 to e095ef6 Compare January 13, 2026 16:23
@mcollina mcollina force-pushed the blog/january-2026-dos-mitigation-async-hooks branch from 9579861 to 9b46208 Compare January 13, 2026 16:27
@mcollina mcollina force-pushed the blog/january-2026-dos-mitigation-async-hooks branch from 9b46208 to 6c101fd Compare January 13, 2026 16:28
@mcollina
Copy link
Member Author

mcollina commented Jan 13, 2026

@marco-ippolito @RafaelGSS @joyeecheung ptal

@mcollina mcollina force-pushed the blog/january-2026-dos-mitigation-async-hooks branch from 6c101fd to 66b49c1 Compare January 13, 2026 17:02
@mcollina mcollina force-pushed the blog/january-2026-dos-mitigation-async-hooks branch from 66b49c1 to 80db087 Compare January 13, 2026 17:03
@mcollina
Copy link
Member Author

mcollina commented Jan 13, 2026

@joyeecheung ping

@mcollina mcollina added this pull request to the merge queue Jan 13, 2026
Merged via the queue into main with commit f0cb063 Jan 13, 2026
12 checks passed
@mcollina mcollina deleted the blog/january-2026-dos-mitigation-async-hooks branch January 13, 2026 17:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@joyeecheung joyeecheung joyeecheung approved these changes

@marco-ippolito marco-ippolito marco-ippolito approved these changes

@avivkeller avivkeller avivkeller approved these changes

@RafaelGSS RafaelGSS Awaiting requested review from RafaelGSS

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mcollina @joyeecheung @marco-ippolito @avivkeller