"Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability, A bug that only reproduces when async_hooks are used would break this attempt, causing Node.js to exit with 7 directly without throwing a catchable error when recursions in user code exhaust the stack space. This makes applications whose recursion depth is controlled by unsanitized input vulnerable to Denial-of-Service attacks."
"At its core, the shortcoming stems from the fact that Node.js exits with code 7 (denoting an Internal Exception Handler Run-Time Failure) instead of gracefully handling the exception when a stack overflow occurs in user code while async_hooks is enabled. Async_hooks is a low-level Node.js API that allows developers to track the lifecycle of asynchronous resources, such as database queries, timers, or HTTP requests."
Node.js released updates fixing a critical vulnerability that can cause denial-of-service when async_hooks is enabled and user-code recursion exhausts stack space. The bug breaks Node.js/V8's best-effort recovery from stack exhaustion by causing the runtime to exit with code 7 (Internal Exception Handler Run-Time Failure) instead of throwing a catchable error. AsyncLocalStorage and other async_hooks-based features used by frameworks and APMs can make many production applications vulnerable because they rely on catchable stack-exhaustion errors for availability. The flaw affects Node.js releases from 8.x through 18.x and is resolved in 20.20.0, 22.22.0, 24.13.0, and 25.3.0; affected applications should update to mitigate DoS risk.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]