When Recursion Crashes Your App: The Async Hooks DoS Nobody Expected скачать в хорошем качестве

When Recursion Crashes Your App: The Async Hooks DoS Nobody Expected

JavaScript applications have long relied on a simple assumption: when recursion goes too far, the runtime throws a catchable error and the server survives. But under the hood, that assumption was never guaranteed — and with async context tracking enabled, it completely breaks. In this episode of The Node (& More) Banter, Luca Maraschi and Matteo Collina dive into a recently disclosed Node.js bug that turned deep recursion into an unrecoverable process crash. A subtle interaction between stack exhaustion and async_hooks caused Node.js to exit immediately — bypassing try/catch, uncaughtException, and any chance of graceful recovery. The result: a denial-of-service risk silently affecting React Server Components, Next.js, and nearly every APM tool in production. We’ll cover: ✅ Why stack overflows were never a reliable safety mechanism — even before this bug ✅ How AsyncLocalStorage and async_hooks put fatal error handling on the call stack ✅ Why React Server Components, Next.js request context, and APM tools were all affected ✅ How a single deeply nested request could crash an entire Node.js process ✅ What the fix actually changes — and why it’s a mitigation, not a full solution ✅ What teams should do now: upgrades, input limits, and safer architectural patterns ✅ What we tried and didn't work This wasn’t a React bug. It wasn’t an APM bug. And it wasn’t even really a Node.js security bug. It was a reminder that recovering from resource exhaustion is not a contract, and that modern Node.js architectures increasingly depend on behaviour the runtime never promised. If you run React, Next.js, or any Node.js service with async context or observability enabled, this episode explains what broke, why it mattered, and how to avoid building availability on assumptions that won’t always hold.