---
title: "Vulnerability in Node.js: what Netlify users need to know"
description: "A vulnerability in Node.js has been disclosed. This has minimal impact on Netlify, but all affected sites should upgrade"
source: "https://www.netlify.com/changelog/2026-01-16-nodejs-async-hooks-dos-vulnerability/"
last_updated: "2026-07-06T05:24:51.000Z"
---
The Node.js team has released a [security update addressing a denial-of-service vulnerability](https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks) affecting applications that use `async_hooks` (including in dependencies). Here’s what Netlify customers need to know.

## Vulnerability

When `async_hooks` are enabled on certain versions of Node.js, a stack overflow causes the Node.js process to exit immediately rather than throw a catchable error. This bypasses `try-catch` blocks and uncaught exception handlers entirely.

A malicious actor could send a crafted payload to crash a server.

Note that many common tools and frameworks use `async_hooks` under the hood, notably APM and tracing tools (e.g. DataDog, NewRelic, OpenTelemetry) as well as Next.js App Router and other React Server Components implementations. You can find [more details on that here](https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks#important-react-and-nextjs-impact-by-version).

## Impact on Netlify

This is a server-side denial-of-service (DoS) vulnerability. **On Netlify, this has minimal impact**: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your cold starts and your function costs.

Note that Node.js used during your project’s _build_ is not impacted at all.

## What should I do?

If you have [opted your Netlify Functions into Node.js 18](https://docs.netlify.com/build/functions/optional-configuration/?fn-language=js&data-tab=TypeScript#nodejs-version-for-runtime), we **recommend upgrading to Node.js 20 or later**. Node.js 18 reached end-of-life in April 2025 and thus will not be patched.

Otherwise, there is **no action for you to take**. Although this CVE’s impact to Netlify sites is limited, deployed Netlify Functions will be updated to patched Node.js versions automatically on a rolling basis.

For completeness, please note that [the Node.js version used during your project’s _build_](https://docs.netlify.com/build/configure-builds/manage-dependencies/#nodejs-and-javascript) is not relevant to this CVE. There is no action for you to take and this will not be automatically patched.

## Resources

-   [Node.js security release announcement](https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks)
-   [Netlify Functions Node.js version configuration](https://docs.netlify.com/build/functions/optional-configuration/?fn-language=js&data-tab=TypeScript#nodejs-version-for-runtime)