blog: clarify in async hook DoS post and add CWE pointers

[joyeecheung]

It seems there are still some confusions from how this weakness works, especially since APM tools are only part of the reproduction but are not vulnerable per-se. This patch tries to clarify a bit and add some pointers to the CWEs that apply.

Description

Validation

Related Issues

Check List

• I have read the Contributing Guidelines and made commit messages that follow the guideline.
• I have run pnpm format to ensure the code follows the style guide.
• I have run pnpm test to check if all tests are passing.
• I have run pnpm build to check if the website builds without errors.
• I've covered new added functionality with unit tests if necessary.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
nodejs-org	Ready	Preview	Jan 15, 2026 6:36pm

[github-actions]

👋 Codeowner Review Request

The following codeowners have been identified for the changed files:

Team reviewers: @nodejs/nodejs-website

Please review the changes when you have a chance. Thank you! 🙏

[Copilot]

Pull request overview

This pull request clarifies the async hooks DoS vulnerability blog post to address confusion about the nature of the weakness. The changes emphasize that APM tools are not vulnerable themselves but enable reproduction of an edge case that exposes a broader ecosystem weakness: reliance on unspecified stack overflow behavior.

Changes:

• Clarified that the issue is an edge case affecting recovery from stack exhaustion when async_hooks are enabled
• Added CWE references (CWE-758 and CWE-674) to document the underlying weaknesses
• Updated section titles to better reflect the nature of the issue ("The Reproduction" instead of "The Bug", APM tools "Makes It Easier to Reproduce" rather than implying they are affected)
• Improved language throughout to distinguish between the mitigation and the underlying ecosystem weakness

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.97%. Comparing base (7a949e8) to head (1c0cb25).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8556      +/-   ##
==========================================
+ Coverage   74.96%   74.97%   +0.01%     
==========================================
  Files         103      103              
  Lines        9036     9036              
  Branches      312      312              
==========================================
+ Hits         6774     6775       +1     
+ Misses       2260     2259       -1     
  Partials        2        2              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mcollina]

lgtm

[joyeecheung]

Added a callout to the proper tail calls in the reproduction to help understanding it; also I noticed the list isn't working without the -. Can you take a look again @mcollina ?