We have identified a bug in Node.js error handling where Maximum call stack size exceeded errors become uncatchable when async_hooks.createHook() is enabled. Instead of reaching process.on(uncaughtException), the process terminates, making the crash unrecoverable. Applications that rely on AsyncLocalStorage (v22, v20) or async_hooks.createHook() (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
Weakness
An exception is thrown from a function, but it is not caught.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Node.js | Nodejs | 20.0.0 (including) | 20.20.0 (excluding) |
| Node.js | Nodejs | 22.0.0 (including) | 22.22.0 (excluding) |
| Node.js | Nodejs | 24.0.0 (including) | 24.13.0 (excluding) |
| Node.js | Nodejs | 25.0.0 (including) | 25.3.0 (excluding) |
| Red Hat Enterprise Linux 10 | RedHat | nodejs24-1:24.13.0-1.el10_1 | * |
| Red Hat Enterprise Linux 10 | RedHat | nodejs22-1:22.22.0-3.el10_1 | * |
| Red Hat Enterprise Linux 8 | RedHat | nodejs:24-8100020260116121421.6d880403 | * |
| Red Hat Enterprise Linux 8 | RedHat | nodejs:22-8100020260119091831.6d880403 | * |
| Red Hat Enterprise Linux 8 | RedHat | nodejs:20-8100020260119100525.489197e6 | * |
| Red Hat Enterprise Linux 9 | RedHat | nodejs:24-9070020260117213814.rhel9 | * |
| Red Hat Enterprise Linux 9 | RedHat | nodejs:22-9070020260117213838.rhel9 | * |
| Red Hat Enterprise Linux 9 | RedHat | nodejs:20-9070020260117213748.rhel9 | * |
| Nodejs | Ubuntu | plucky | * |
| Nodejs | Ubuntu | upstream | * |