Security Update: DoS vulnerability in Node.js
January 16, 2026
The Node.js team has released a security update addressing a denial-of-service vulnerability affecting applications that use async_hooks (including in dependencies). Here’s what Netlify customers need to know.
Vulnerability
When async_hooks are enabled on certain versions of Node.js, a stack overflow causes the Node.js process to exit immediately rather than throw a catchable error. This bypasses try-catch blocks and uncaught exception handlers entirely.
A malicious actor could send a crafted payload to crash a server.
Note that many common tools and frameworks use async_hooks under the hood, notably APM and tracing tools (e.g. DataDog, NewRelic, OpenTelemetry) as well as Next.js App Router and other React Server Components implementations. You can find more details on that here.
Impact on Netlify
This is a server-side denial-of-service (DoS) vulnerability. On Netlify, this has minimal impact: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your cold starts and your function costs.
Note that Node.js used during your project’s build is not impacted at all.
What should I do?
If you have opted your Netlify Functions into Node.js 18, we recommend upgrading to Node.js 20 or later. Node.js 18 reached end-of-life in April 2025 and thus will not be patched.
Otherwise, there is no action for you to take. Although this CVE’s impact to Netlify sites is limited, deployed Netlify Functions will be updated to patched Node.js versions automatically on a rolling basis.
For completeness, please note that the Node.js version used during your project’s build is not relevant to this CVE. There is no action for you to take and this will not be automatically patched.