The update resolves seven tracked vulnerabilities spanning TLS error handling, HTTP/2 flow control, cryptographic timing leaks, permission model bypasses, and a V8 hash-table weakness, several of which can be triggered remotely without authentication.
The most severe issue in this batch is CVE-2026-21637 (rated High), an incomplete fix of a prior TLS vulnerability by the same identifier. A flaw in Node.js TLS error handling leaves SNICallback invocations unprotected against synchronous exceptions, while equivalent ALPN and PSK callbacks were already addressed earlier.
When a TLS client sends an unexpected servername value, the thrown exception bypasses all TLS error handlers and propagates as an uncaught exception, crashing the Node.js process outright.
The fix, contributed by Matteo Collina, wraps SNICallback invocations in a try/catch block. Any TLS server operating on versions 20.x, 22.x, 24.x, or 25.x where SNICallback may throw is affected.
CVE-2026-21714 (Medium) affects Node.js HTTP/2 servers and involves unhandled NGHTTP2_ERR_FLOW_CONTROL error codes. A malicious client can send malformed WINDOW_UPDATE frames on stream 0, triggering a memory leak in the server process over repeated connections.
Left unaddressed, this leads to resource exhaustion and eventually to denial-of-service. RafaelGSS authored the fix, adding explicit handling for this nghttp2 error code in the Node.js source layer.
CVE-2026-21717 (Medium) targets V8’s internal string hashing mechanism, which hashes integer-like strings to their numeric values — making hash collisions trivially predictable.
By crafting a payload that forces many such collisions, most commonly via JSON.parse() on attacker-controlled input, an adversary can significantly degrade the performance of the Node.js process in a classic HashDoS attack. This fix, contributed by Joyee Cheung, was applied across the deps, build, and test layers.
CVE-2026-21713 (Medium) introduces a timing side-channel in Node.js Web Cryptography HMAC verification. The flaw arises from using a non-constant-time memcmp() comparison when validating user-provided HMAC signatures, leaking timing information proportional to the number of matching bytes.
Under high-resolution measurement conditions, this can serve as a timing oracle to infer HMAC values. Filip Skokan resolved this by replacing the comparison with a timing-safe primitive already available in the codebase.
Two low-severity permission model bypasses were also patched. CVE-2026-21715 allows code running under --permission with restricted --allow-fs-read to use fs.realpathSync.native() to disclose file existence and resolve symlink paths outside permitted directories.
CVE-2026-21716 extends coverage to lib/fs/promises, which similarly lacked permission enforcement. Both were fixed by RafaelGSS. Additionally, CVE-2026-21710 addresses a HTTP header prototype pollution vector by using a null-prototype object for headersDistinct and trailersDistinct fields.
| CVE | Severity | Component | Impact |
|---|---|---|---|
| CVE-2026-21637 | High | TLS / SNICallback | Remote process crash |
| CVE-2026-21717 | Medium | V8 / JSON parsing | HashDoS / CPU exhaustion |
| CVE-2026-21713 | Medium | Web Crypto / HMAC | Timing oracle / MAC forgery |
| CVE-2026-21714 | Medium | HTTP/2 / nghttp2 | Memory leak / DoS |
| CVE-2026-21710 | Medium | HTTP headers | Prototype pollution |
| CVE-2026-21716 | Low | Permission Model (fs/promises) | Filesystem path disclosure |
| CVE-2026-21715 | Low | Permission Model (realpath) | Filesystem path disclosure |
Developers and system administrators are urged to upgrade immediately to the patched releases: v20.20.2, v22.22.2, v24.14.1, or v25.8.2.
Given that CVE-2026-21637 requires no authentication and directly causes process termination, environments hosting publicly accessible TLS servers should treat this upgrade as a critical priority.
Installers and binaries are available across Windows, macOS, Linux (x64, ARM, PPC, s390x), and AIX platforms via the official Node.js distribution channel.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Node.js Patches Multiple Vulnerabilities That Enable DoS Attacks and Process Crashes appeared first on Cyber Security News.
On April 1, NASA's Artemis II is set to embark on its 10-day mission to…
On April 1, NASA's Artemis II is set to embark on its 10-day mission to…
Spider-Noir, the upcoming superhero series starring Nicolas Cage, debuts on MGM+ on May 25, 2026,…
Spider-Noir, the upcoming superhero series starring Nicolas Cage, debuts on MGM+ on May 25, 2026,…
INDIANAPOLIS, Ind. (WOWO) — As the countdown to the 2026 NCAA Men’s Final Four begins,…
WHITING, Ind. (WOWO) — Indiana Governor Mike Braun joined locked-out workers on the picket line…
This website uses cookies.