Mitigation for Node.js denial-of-service vulnerability affecting Datadog APM

On January 13, 2026, Node.js disclosed a denial-of-service (DoS) vulnerability, identified as CVE-2025-59466, affecting applications using async_hooks or AsyncLocalStorage, potentially causing unexpected process termination in Node.js versions 8.x to 23.x. This vulnerability is significant for Datadog APM customers since the Node.js dd-trace-js tracer utilizes AsyncLocalStorage; however, the issue is not exclusive to Datadog's tracer, and validation against patched Node.js versions is ongoing. The vulnerability arises when a stack overflow occurs in user code with active async_hooks, bypassing standard error handlers and leading to unrecoverable process crashes, posing a risk to applications relying on request context, including those using React Server Components and Next.js. Remediation involves upgrading to patched Node.js versions released on the same day, with specific guidance available from Datadog's Security Research Feed, and Datadog is committed to ongoing monitoring and support for customers seeking configuration assistance.