Node.js January 2026 DoS Vulnerability in Async Hooks

Source: Dev.to

If you are running Node.js in production, it’s time to check your version numbers.

Earlier today, the Node.js team released a critical security update regarding a Denial of Service (DoS) vulnerability tied to the async_hooks module. If you use observability tools, tracing libraries, or AsyncLocalStorage, your application might be at risk.

In this post, we’ll break down what happened, why async_hooks is involved, and how to fix it.

What is async_hooks anyway?

Before we dive into the vulnerability, let’s recap. The async_hooks API is a powerful, low‑level built‑in module in Node.js that allows you to track the lifetime of asynchronous resources (like promises, timeouts, or TCP sockets).

It’s the engine behind many things we love:

• AsyncLocalStorage – used for keeping track of request IDs across different functions.
• APM Tools – New Relic, Datadog, and OpenTelemetry use it to trace requests.
• Logging Frameworks – to inject context into your logs.

Because it hooks into the very core of Node.js’s event loop, any inefficiency or bug here can have massive performance implications.

The Vulnerability: The “January 2026” DoS

The Exploit

A malicious actor could craft specific asynchronous patterns—likely involving deeply nested or recursive async calls—that cause the internal resource‑tracking mechanism to consume an unbounded amount of memory or CPU cycles.

The result is an Out‑of‑Memory (OOM) crash or a CPU spike that makes the server unresponsive. Because this happens at the internal level, standard application‑level try‑catch blocks won’t help.

Who is affected?

You are likely affected if:

• You are using an unpatched version of Node.js (v20.x, v22.x, or v24.x).
• Your application (or its dependencies) uses async_hooks or AsyncLocalStorage.
• Your server processes untrusted user input that triggers asynchronous logic.

The Fix: Update Now

1. Identify your version

node -v

2. Update to the patched versions

• Node.js v24.x → latest v24.x patch
• Node.js v22.x (LTS) → latest v22.x patch
• Node.js v20.x (LTS) → latest v20.x patch

(Replace the X with the specific version numbers mentioned in the official advisory.)

3. How to update

Using nvm (Node Version Manager)

nvm install 22 --reinstall-packages-from=22
nvm use 22

Using Docker

# From
FROM node:22-slim
# To the latest patch
FROM node:22.14.0-slim   # or the latest patch version

Temporary Mitigation (If you can’t update immediately)

• Audit Dependencies: Check if you are using libraries like cls-hooked or older tracing agents that rely heavily on async_hooks and see if they have issued their own workarounds.
• Disable Non‑Essential Tracing: If you are using AsyncLocalStorage only for non‑critical logging, consider disabling it temporarily in high‑risk environments.
• Rate Limiting: Implement aggressive rate limiting at the reverse‑proxy level (e.g., Nginx, Cloudflare) to prevent attackers from flooding your event loop with complex async requests.

For more details, read the full official security blog post at nodejs.org.