Node.js Fixes AsyncLocalStorage Crash Bug That Could Take Down Production Servers

On January 13, 2026, the Node.js project released a critical security update to address a bug that could cause production applications to crash unexpectedly when handling deeply nested input, affecting many Node.js apps using AsyncLocalStorage. This issue, primarily triggered by async context tracking, impacted applications built with frameworks like React Server Components and Next.js, as well as major application performance monitoring tools. The bug caused Node.js to exit with an error code if a stack overflow occurred while async_hooks was enabled, bypassing error handling mechanisms and leading to server crashes. The patch, included in a security release, modifies Node.js behavior to detect stack overflow errors and rethrow them to user code instead of treating them as fatal, though it stops short of classifying the issue as a vulnerability. Applications running on Node.js 24 and newer are not affected due to changes in AsyncLocalStorage implementation, while older versions have received patches. Node.js maintainers advised developers against relying on stack overflow recovery for availability, emphasizing the importance of input validation to prevent similar issues in the future.