The update, published on March 24, 2026, upgrades the Long-Term Support (LTS) branch to version 20.20.2, codenamed “Iron,” and patches seven distinct security flaws affecting core components such as TLS, HTTP/2, V8, and the permission model.
The most severe vulnerability, tracked as CVE-2026-21637, is rated High and affects Node.js TLS handling.
The issue stems from improper error handling in the SNICallback function, which is responsible for selecting certificates during TLS handshakes.
If a malicious client sends an unexpected server name value, it can trigger a synchronous exception that bypasses existing error handlers. This results in an uncaught exception that crashes the entire Node.js process.
This flaw is particularly dangerous because it can be exploited remotely without authentication, making publicly exposed TLS servers highly vulnerable.
The patch resolves the issue by wrapping SNICallback logic inside a try/catch block, preventing unhandled exceptions from terminating the process.
| CVE | Severity | Component | Impact |
|---|---|---|---|
| CVE-2026-21637 | High | TLS / SNICallback | Remote process crash |
| CVE-2026-21717 | Medium | V8 / JSON parsing | HashDoS / CPU exhaustion |
| CVE-2026-21713 | Medium | Web Crypto / HMAC | Timing oracle / MAC forgery |
| CVE-2026-21714 | Medium | HTTP/2 / nghttp2 | Memory leak / DoS |
| CVE-2026-21710 | Medium | HTTP headers | Prototype pollution |
| CVE-2026-21716 | Low | Permission Model (fs/promises) | Filesystem path disclosure |
| CVE-2026-21715 | Low | Permission Model (realpath) | Filesystem path disclosure |
Another notable issue, CVE-2026-21714, affects HTTP/2 implementations in Node.js. It involves improper handling of NGHTTP2_ERR_FLOW_CONTROL errors.
Attackers can send specially crafted WINDOW_UPDATE frames to repeatedly trigger memory leaks. Over time, this leads to resource exhaustion and eventual service disruption.
The fix introduces explicit handling for these error conditions within the HTTP/2 processing layer.
Node.js also addressed a V8 engine-related vulnerability, CVE-2026-21717, which enables HashDoS attacks.
The flaw lies in how V8 hashes integer-like strings by converting them into numeric values, making collisions predictable.
By supplying specially crafted JSON input, attackers can force excessive hash collisions, significantly degrading performance and consuming CPU resources.
This issue is particularly relevant for applications processing untrusted JSON data.
In the cryptographic layer, CVE-2026-21713 exposes a timing side-channel vulnerability in HMAC verification.
The problem arises from using a non-constant-time comparison function (memcmp), which leaks timing information based on how many bytes match.
An attacker with precise timing measurements could potentially infer valid HMAC signatures. The patch replaces this with a constant-time comparison method to eliminate timing leaks.
Additionally, two low-severity vulnerabilities impact the Node.js permission model. CVE-2026-21715 and CVE-2026-21716 allow attackers to bypass filesystem access restrictions under certain configurations.
These flaws enable unauthorized path resolution and file existence disclosure, potentially exposing sensitive filesystem structure information.
Another fix addresses CVE-2026-21710, a prototype pollution issue in HTTP headers handling. By switching to null-prototype objects for specific header fields, Node.js prevents attackers from injecting malicious properties into object prototypes.
Security experts strongly recommend upgrading to patched versions immediately, including v20.20.2, v22.22.2, v24.14.1, and v25.8.2.
Given the remote exploitability and process crash potential of CVE-2026-21637, organizations running Node.js in production, especially those hosting internet-facing services, should treat this update as a high priority.
The patched releases are available across all major platforms, including Windows, Linux, macOS, and enterprise architectures, through official Node.js distribution channels.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Node.js Fixes Multiple Vulnerabilities Leading to DoS and Crashes appeared first on Cyber Security News.
INDIANAPOLIS, Ind. (WOWO) — As the countdown to the 2026 NCAA Men’s Final Four begins,…
WHITING, Ind. (WOWO) — Indiana Governor Mike Braun joined locked-out workers on the picket line…
The National Public Radio headquarters in Washington, D.C., on Tuesday, May 27, 2025. (Photo by…
Amazon's Invincible series just kicked off its fourth season, so a tie-in sale on all…
It’s your last chance to save during Amazon’s Big Spring Sale. However, it’s not the…
Amazon's Big Spring Sale is almost over, and now is the time to score deals…
This website uses cookies.