Production Node.js environments face a critical security advisory. A new Denial of Service vulnerability affects the core async_hooks module, threatening servers using AsyncLocalStorage or popular observability tools like New Relic and Datadog. Attackers can exploit this flaw by crafting malicious asynchronous patterns, triggering severe memory consumption or CPU spikes that bypass standard application error handling.

This vulnerability impacts unpatched Node.js versions 20.x, 22.x, and 24.x. Because async_hooks integrates deeply with the event loop, a bug here threatens overall system stability and request processing. Developers must prioritize this update to prevent Out-of-Memory crashes or unresponsive servers, especially those handling untrusted user input in production environments.

The Node.js team released patched versions for all active LTS and Current branches. Immediate action is required: verify your current runtime with `node -v` and update using nvm or Docker. Developers using TypeScript must also sync their `@types/node` package to match the new runtime. If an immediate update isn't feasible, consider disabling non-essential tracing or implementing strict rate limiting.