Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users

Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users nodejs.org/en/blog/v… Node.js and V8 attempt to recover from stack space exhaustion by throwing a catchable error — a behaviour many frameworks rely on to maintain service availability. However, a defect triggered when async_hooks are in use breaks this recovery mechanism, causing Node.js to terminate immediately with exit code 7 when recursive user code exhausts stack space. As a result, applications in which recursion depth is influenced by unsanitized input are vulnerable to denial-of-service attacks. The issue can cause silent and unexpected application crashes and affects a broad swath of the ecosystem. Due to the prevalence of this usage pattern in widely adopted frameworks — including React and Next.js — a significant number of applications are expected to be impacted. The fix has been included in a Node.js security release because of its ecosystem-wide implications. However, the update should be viewed as a mitigation rather than a complete solution, given the broader architectural reliance on recoverable stack space exhaustion for availability. Guidance from the Node.js project includes: Application owners and hosting providers should update to the patched versions as soon as possible. Library and framework maintainers should implement stronger protections against stack space exhaustion, such as limiting recursion depth or avoiding recursion where attacker-controlled input is possible. Developers should not rely on RangeError: Maximum call stack size exceeded as a security control, as this behaviour is best-effort and not guaranteed.