Posts tagged "Functions"

The Node.js team has released a security update addressing a denial-of-service vulnerability affecting applications that use async_hooks (including in dependencies). Here’s what Netlify customers need to know.

Vulnerability

When async_hooks are enabled on certain versions of Node.js, a stack overflow causes the Node.js process to exit immediately rather than throw a catchable error. This bypasses try-catch blocks and uncaught exception handlers entirely.

A malicious actor could send a crafted payload to crash a server.

Note that many common tools and frameworks use async_hooks under the hood, notably APM and tracing tools (e.g. DataDog, NewRelic, OpenTelemetry) as well as Next.js App Router and other React Server Components implementations. You can find more details on that here.

Impact on Netlify

This is a server-side denial-of-service (DoS) vulnerability. On Netlify, this has minimal impact: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your cold starts and your function costs.

Note that Node.js used during your project’s build is not impacted at all.

What should I do?

If you have opted your Netlify Functions into Node.js 18, we recommend upgrading to Node.js 20 or later. Node.js 18 reached end-of-life in April 2025 and thus will not be patched.

Otherwise, there is no action for you to take. Although this CVE’s impact to Netlify sites is limited, deployed Netlify Functions will be updated to patched Node.js versions automatically on a rolling basis.

For completeness, please note that the Node.js version used during your project’s build is not relevant to this CVE. There is no action for you to take and this will not be automatically patched.

Resources

• Node.js security release announcement
• Netlify Functions Node.js version configuration

Netlify Observability offers real-time visibility into your project’s production performance and resource usage.

Monitor requests, bandwidth, runtime behavior, functions, and Edge Functions to understand how your web project operates in production, fix errors, and optimize web performance.

Get a deep feature tour from our Observability blog post.

Try Observability

From your project overview, select Logs & metrics > Observability. To expand details for a request, select a request.

Availability

Observability is available for Credit-based plans and Enterprise plans. If you have a Legacy pricing plan, you can get a sneak peek at your observability data by checking out the widget from your Project Overview.

Credit-based plan	Time filter available
Free	Past 24 hours
Personal	Past 7 days
Pro	Past 30 days

Enterprise plan	Time filter available
Any opted-in Enterprise plan	Past 30 days

Note that if you have a Credit-based plan or have Observability enabled for an Enterprise plan, then Function Metrics will no longer be available to you as it is replaced by Observability.

If you do not have Observability, then Function Metrics will continue to be available to you.

Learn more in our Function metrics docs.

Other monitoring updates

As part of monitoring updates, we have also updated the names of some of our monitoring features.

Old name	New name
Real User Metrics	Real User Monitoring
Project analytics (formerly site analytics)	Web analytics

Further info

To learn more, check out Observability docs.

Netlify and Sentry provide a powerful combination of tools that help developers build, deploy, and monitor your web projects with ease and accuracy. The latest Sentry integration provides error monitoring for Netlify Functions, Background & Scheduled Functions.