Skip to content

blog: otel-js Node.js DOS Mitigation #8916

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tiffany76 merged 6 commits into from
Jan 15, 2026
+46 −0
Merged

blog: otel-js Node.js DOS Mitigation #8916

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
afe0ec3
blog: oteljs nodejs dos mitigation
JamieDanielson Jan 15, 2026
47fdc57
clarify based on pr feedback
JamieDanielson Jan 15, 2026
dc4bf1e
Results from /fix directive
otelbot[bot] Jan 15, 2026
c3336b6
Merge branch 'main' into jamie.oteljs-node-cve-mitigation
maryliag Jan 15, 2026
0f73db4
Update content/en/blog/2026/oteljs-nodejs-dos-mitigation.md
JamieDanielson Jan 15, 2026
a491640
Results from /fix directive
otelbot[bot] Jan 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions content/en/blog/2026/oteljs-nodejs-dos-mitigation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
---
title: OpenTelemetry JS Statement on Node.js DOS Mitigation
linkTitle: OTel JS DOS Mitigation
date: 2026-01-15
author: >
[Jamie Danielson](https://github.com/JamieDanielson) (Honeycomb)
sig: OpenTelemetry JS
cSpell:ignore: Danielson
---

You may have seen a recent Node.js security advisory and related coverage
discussing a potential denial-of-service issue involving `async_hooks`.
OpenTelemetry (and other APM tools) were mentioned because we rely on
`AsyncLocalStorage` for context propagation.

To be clear: **this is not a bug or vulnerability in OpenTelemetry**. The issue
ultimately lies in applications and frameworks that rely on unspecified stack
space exhaustion behavior for availability. In Node.js versions before 24.x,
`AsyncLocalStorage` is implemented on top of `async_hooks`, which - when
combined with this unsafe assumption — made the edge case easier to reproduce.

The Node.js team has fixed this behavior in **Node.js 20.20.0 and newer** to
make the edge case harder to reproduce. This fix is **not being backported to
Node.js 18**, so the recommended mitigation is to upgrade to Node.js 20+ if you
haven’t already. Review
[this table](https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks#affected-versions)
for specific affected versions and patches.

There’s nothing OpenTelemetry-specific you need to change — following the Node.js
upgrade guidance is sufficient. As always, we recommend running on supported and
patched Node.js versions.

Thanks to the Node.js security team for the fix, and to the community for
helping share accurate information. This was included in a security release for
visibility, but is not classified as a security issue by V8.

For more details, see the
[Node.js security bulletin](https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks).
8 changes: 8 additions & 0 deletions static/refcache.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16751,6 +16751,14 @@
"StatusCode": 200,
"LastSeen": "2026-01-07T09:45:09.135872063Z"
},
"https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks": {
"StatusCode": 200,
"LastSeen": "2026-01-15T21:06:29.759587839Z"
},
"https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks#affected-versions": {
"StatusCode": 200,
"LastSeen": "2026-01-15T21:06:26.147187144Z"
},
"https://nodejs.org/en/download/": {
"StatusCode": 200,
"LastSeen": "2026-01-08T09:44:46.566444491Z"
Expand Down
Loading