VulnHub

Real-time Cybersecurity News

Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow

The Hacker News
ExploitVulnerabilityCritical

Overview

Node.js has issued urgent updates to address a serious vulnerability that affects nearly all production applications using the platform. The flaw, related to the async_hooks module, can lead to a stack overflow, resulting in a denial-of-service (DoS) condition. This means that if attackers exploit this vulnerability, they could crash servers running affected applications, disrupting services. Developers and companies using Node.js should prioritize applying these patches to maintain service availability and prevent potential outages. The vulnerability is especially concerning because it touches on core functionality that many frameworks rely on for stability.

Key Takeaways

  • Affected Systems: Node.js applications, specifically those using async_hooks
  • Action Required: Node.
  • Timeline: Newly disclosed

Original Article Summary

Node.js has released updates to fix what it described as a critical security issue impacting "virtually every production Node.js app" that, if successfully exploited, could trigger a denial-of-service (DoS) condition. "Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability," Node.js's

Impact

Node.js applications, specifically those using async_hooks

Exploitation Status

The exploitation status is currently unknown. Monitor vendor advisories and security bulletins for updates.

Timeline

Newly disclosed

Remediation

Node.js has released updates; specific version numbers or patch details are not mentioned.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to Exploit, Vulnerability, Critical.

Read Original Article

Related Coverage

Vercel Confirms Cyber Incident After Sophisticated Attacker Exploits Third‑Party Tool

Infosecurity Magazine

Vercel, a cloud app developer, has confirmed that it faced a security breach due to a sophisticated attack that exploited a third-party tool. The details surrounding the breach remain limited, but it raises concerns regarding the safety of applications built on Vercel's platform. Users and developers relying on Vercel for their cloud services should be vigilant, as this incident highlights potential vulnerabilities in third-party integrations. The company is likely working to assess the full impact of the breach and implement necessary security measures to prevent future incidents. This situation serves as a reminder for all companies to review their security practices, especially when using external tools and services.

Apr 21, 2026

NGate Android malware uses HandyPay NFC app to steal card data

BleepingComputer

A new variant of the NGate malware is targeting Android users by disguising itself within a trojanized version of HandyPay, a legitimate mobile payment app. This malware is designed to steal NFC payment data, posing a significant risk to users who rely on their smartphones for transactions. By embedding itself in a trusted application, attackers are increasing the chances that unsuspecting users will download and use the malicious version. Users of Android devices should be cautious about installing apps from unofficial sources and ensure they are using the latest security updates to protect their sensitive financial information. The implications of this malware are serious, as it could lead to unauthorized transactions and financial loss for those affected.

Apr 21, 2026

North Korean Blamed for $290m KelpDAO Crypto Heist

Infosecurity Magazine

North Korea's Lazarus Group has been implicated in a significant cyber theft involving KelpDAO, a decentralized finance platform, with losses estimated at $290 million. This incident marks another high-profile attack linked to the notorious group, known for its involvement in various cybercrimes, including cryptocurrency thefts. KelpDAO is now facing the repercussions of this breach, which impacts not only its operations but also the broader crypto community concerned about security. The attack raises alarms about the vulnerability of decentralized finance platforms to state-sponsored hacking, emphasizing the need for enhanced security measures across the industry. As the investigation unfolds, it is crucial for crypto users and platforms to remain vigilant against such threats.

Apr 21, 2026

Bluesky hit by 24-hour DDoS attack as pro-Iran group claims responsibility

Security Affairs

Bluesky, a decentralized microblogging platform, was hit by a 24-hour Distributed Denial of Service (DDoS) attack that began on April 15. The attack led to significant service disruptions, impacting users who rely on the platform for communication and information sharing. A pro-Iran hacker group has claimed responsibility for this attack, indicating a possible politically motivated cyber incident. DDoS attacks can overwhelm a service with traffic, rendering it unavailable to legitimate users, which raises concerns about the platform's security and its ability to handle such threats in the future. This incident serves as a reminder of the ongoing risks facing online platforms, especially those involved in social discourse.

Apr 21, 2026

Researchers build an encrypted routing layer for private AI inference

Help Net Security

Researchers have developed a new encrypted routing layer that enhances privacy for organizations using large AI models, particularly in sensitive sectors like healthcare and finance. The method employs Secure Multi-Party Computation (MPC), which breaks down data into encrypted fragments and spreads them across multiple servers. This approach allows the servers to process AI queries without ever accessing the original data, ensuring that sensitive information remains confidential. This advancement is significant as it addresses growing concerns over data privacy when utilizing cloud-based AI services. Companies looking to implement AI while safeguarding private information may find this technology particularly beneficial.

Apr 21, 2026

Multiple other companies purportedly breached by ShinyHunters, over 9M record leak warned

SCM feed for Latest

The hacking group ShinyHunters claims to have breached nine well-known companies, including Zara, 7-Eleven, and Carnival Corporation. They are threatening to release over 9 million records that contain personal information and internal data unless a ransom is paid by April 21. This situation raises significant concerns for the affected brands as it puts customer data at risk and could lead to identity theft or other malicious activities. The release of such a large volume of sensitive information could also damage the reputation of these companies and erode consumer trust. As the deadline approaches, it remains crucial for these organizations to enhance their security measures and communicate transparently with their customers about the potential breach.

Apr 20, 2026