Full Report
The Node.js project has issued a series of security updates addressing multiple vulnerabilities across its active release lines. The update covers versions in the 20.x, 22.x, 24.x, and 25.x branches, and includes fixes for several high, medium, and low severity issues. Among the most notable concerns is CVE-2026-21637, which appears prominently in the release due to its incomplete nature prior to remediation. The March 2026 security rollout includes updates to dependencies such as undici (versions 6.24.1 and 7.24.4) for supported release lines. A key issue addressed is tied to CVE-2026-21637, which exposed weaknesses in TLS error handling. Incomplete Fix for CVE-2026-21637 Leads to Remote DoS Risk The vulnerability CVE-2026-21637 stems from improper exception handling in the TLS layer. Specifically, the loadSNI() function in _tls_wrap.js lacked a try/catch mechanism. This oversight left SNICallback executions vulnerable to unhandled synchronous exceptions. When unexpected input is passed, and the callback throws an error, the exception bypasses TLS protection and results in an uncaught exception. In practical terms, this can crash into a Node.js process, leading to a potential Remote Denial of Service (DoS). Notably, similar callback pathways like ALPN and PSK had already been secured under CVE-2026-21637, making this an incomplete fix of the same vulnerability. This issue impacts all Node.js versions that previously received the CVE-2026-21637 patch, namely 20.x, 22.x, 24.x, and 25.x, particularly in environments where SNICallback may fail on malformed server name inputs. The vulnerability was reported by mbarbs and resolved by mcollina. Additional High Severity Vulnerability in Node.js HTTP Handling Another critical issue, tracked as CVE-2026-21710, affects HTTP request processing. A specially crafted request containing a proto header can trigger an uncaught TypeError when applications access req.headersDistinct. This occurs because dest["proto"] resolves to Object.prototype instead of undefined, causing a .push() operation on a non-array object. Since the error is thrown within a property getter, it cannot be intercepted by standard error handlers. This leaves applications vulnerable unless developers explicitly wrap each access in try/catch blocks. All Node.js HTTP servers running versions 20.x through 25.x are affected. The issue was reported by yushengchen and fixed by mcollina. Medium Severity Issues Affecting Node.js Runtime and Security Several medium-severity vulnerabilities were also addressed in this release: CVE-2026-21711: A bypass in the Node.js Permission Model allows Unix Domain Socket (UDS) servers to bind and listen without the --allow-net flag. This flaw enables unauthorized inter-process communication even when network access is intended to be restricted. It affects version 25.x and was reported by xavlimsg. CVE-2026-21712: A malformed internationalized domain name passed to url.format() can trigger an assertion failure in node_url.cc, crashing the process. This impacts versions 24.x and 25.x. CVE-2026-21713: A timing side-channel vulnerability in HMAC verification uses memcmp() instead of a constant-time comparison. This can leak timing data that might be exploited to infer MAC values under specific conditions. CVE-2026-21714: A memory leak in HTTP/2 servers occurs when WINDOW_UPDATE frames are abused, leading to resource exhaustion. The Http2Session object is not cleaned up even after a GOAWAY frame is issued. CVE-2026-21717: A HashDoS vulnerability in the V8 engine allows attackers to generate predictable hash collisions using integer-like strings. This can degrade performance, especially in endpoints processing untrusted JSON input. Low Severity Vulnerabilities in Node.js Permission Model Two lower-severity issues were also identified: CVE-2026-21715: The fs.realpathSync.native() method bypasses read permission checks, allowing file existence disclosure even under restricted filesystem permissions. CVE-2026-21716: An incomplete patch for CVE-2024-36137 leaves FileHandle.chmod() and FileHandle.chown() in the promises API without proper permission enforcement, enabling unauthorized modifications. Impact and Affected Node.js Versions The impact varies slightly across versions: Node.js 25.x: 2 high, 5 medium, 2 low severity vulnerabilities Node.js 24.x: 2 high, 4 medium, 2 low severity vulnerabilities Node.js 22.x: 2 high, 4 medium, 2 low severity vulnerabilities Node.js 20.x: 2 high, 4 medium, 2 low severity vulnerabilities The project released updated versions to address these issues: Node.js v20.20.2 Node.js v22.22.2 Node.js v24.14.1 Node.js v25.8.2
Analysis Summary
# Vulnerability: Node.js March 2026 Security Release (Multiple Flaws)
## CVE Details
- **CVE ID:** CVE-2026-21637, CVE-2026-21710 (High); CVE-2026-21711, CVE-2026-21712, CVE-2026-21713, CVE-2026-21714, CVE-2026-21717 (Medium); CVE-2026-21715, CVE-2026-21716 (Low)
- **CVSS Score:** Not explicitly provided; categorized as High, Medium, and Low.
- **CWE:**
- CWE-248: Uncaught Exception (CVE-2026-21637)
- CWE-20: Improper Input Validation (CVE-2026-21710)
- CWE-385: Timing Disclosure (CVE-2026-21713)
- CWE-400: Uncontrolled Resource Consumption (CVE-2026-21714)
## Affected Systems
- **Products:** Node.js Runtime, Undici dependency (6.24.1 and 7.24.4).
- **Versions:** 20.x, 22.x, 24.x, and 25.x.
- **Configurations:**
- **CVE-2026-21637:** Systems utilizing `SNICallback` for TLS.
- **CVE-2026-21710:** Web servers accessing `req.headersDistinct`.
- **CVE-2026-21711:** Systems using the Experimental Permission Model.
## Vulnerability Description
This security rollout addresses several critical failure points:
- **CVE-2026-21637 (Incomplete Fix):** The `loadSNI()` function in `_tls_wrap.js` lacked a try/catch block. Synchronous exceptions in the `SNICallback` bypass TLS protection, crashing the process.
- **CVE-2026-21710 (HTTP Prototype Pollution):** Malicious requests with a `proto` header cause `dest["proto"]` to resolve to `Object.prototype`. Accessing `req.headersDistinct` then attempts a `.push()` on a non-array, causing an uninterceptable `TypeError`.
- **CVE-2026-21717 (V8 HashDoS):** Attackers can trigger predictable hash collisions in the V8 engine using integer-like strings, leading to CPU exhaustion.
## Exploitation
- **Status:** Vulnerability details public; no specific mention of active "in-the-wild" exploitation in the report.
- **Complexity:** Low to Medium.
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** Medium (Timing side-channels and fs.realpathSync bypass).
- **Integrity:** Medium (Potential unauthorized file modifications via FileHandle API).
- **Availability:** High (Multiple vectors for Remote Denial of Service (DoS) via process crashes and memory leaks).
## Remediation
### Patches
Users should update to the following versions immediately:
- **Node.js v20.20.2**
- **Node.js v22.22.2**
- **Node.js v24.14.1**
- **Node.js v25.8.2**
### Workarounds
- **For CVE-2026-21710:** Manually wrap all accesses to `req.headersDistinct` in `try/catch` blocks.
- **General:** Sanitize incoming "Server Name" inputs before they reach the TLS handshake layer where possible.
## Detection
- **Indicators of Compromise:** Frequent, unexplained Node.js process restarts; high CPU usage spikes correlated with JSON POST requests (HashDoS); logs showing unhandled `TypeError` related to `headersDistinct`.
- **Detection Methods and Tools:** Monitor application crash logs for `_tls_wrap.js` or `Object.prototype` errors. Use dependency scanners to ensure `undici` is updated.
## References
- **Vendor Advisory:** hxxps[://]nodejs[.]org/en/blog/vulnerability/march-2026-security-releases
- **Source Article:** hxxps[://]thecyberexpress[.]com/nodejs-cve-2026-21637/