Overview
- Security updates are available in Node.js 20.20.0, 22.22.0, 24.13.0, and 25.3.0, with maintainers and hosting providers advised to update promptly.
- The issue is tracked as CVE-2025-59466 (CVSS 7.5) and the fix detects stack overflows and re-throws them to user code instead of exiting with code 7.
- Frameworks and APMs that rely on AsyncLocalStorage are affected, including React Server Components, Next.js, Datadog, New Relic, Dynatrace, Elastic APM, and OpenTelemetry.
- Older Node.js lines from 8.x through 18.x remain unpatched due to end-of-life status, and the project classifies the change as a mitigation because stack exhaustion behavior is not specified by ECMAScript and V8 does not treat it as a security boundary.
- Node.js also shipped fixes for three high-severity bugs—CVE-2025-55131, CVE-2025-55130, and CVE-2025-59465—addressing risks such as data leakage, symlink-based file reads, and remote denial of service.