Critical Node.js async_hooks Bug Triggers Server-Crashing Stack Overflows

In January 2026, the cybersecurity community was alerted to a critical vulnerability within the Node.js ecosystem. Designated as CVE-2025-24357, this flaw in the require() function’s resolution mechanism opens a door for attackers to perform a path traversal, potentially leading to devastating Remote Code Execution (RCE). This breach vector allows a threat actor to load and execute arbitrary JavaScript code from outside the intended module directory, fundamentally breaking the application’s security boundaries.