Self Checks

• I have read the Contributing Guide and Language Policy.
• This is only for bug report, if you would like to ask a question, please head to Discussions.
• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit this report, otherwise it will be closed.
• 【中文用户 & Non English User】请使用英语提交，否则会被关闭 ：）
• Please do not modify this template :) and fill in all the required fields.

Dify version

1.11.3

Cloud or Self Hosted

Cloud, Self Hosted (Docker)

Steps to reproduce

Why

Node.js 22.21.1 and earlier versions have a bug where applications using:

• React Server Components (via AsyncLocalStorage)
• Next.js request context tracking
• APM tools (OpenTelemetry, Datadog, etc.)

...are vulnerable to DoS attacks through deeply nested user input causing unrecoverable crashes.

✔️ Expected Behavior

Reference

Patched in Node.js 22.22.0 (released January 13, 2026)

❌ Actual Behavior

No response