Skip to main content

Node.js CVE-2026-21710

| EUVDEUVD-2026-17170 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-03-30 hackerone
7.5
CVSS 3.1 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 30, 2026 - 19:30 euvd
EUVD-2026-17170
Analysis Generated
Mar 30, 2026 - 19:30 vuln.today
CVE Published
Mar 30, 2026 - 19:07 nvd
HIGH 7.5

DescriptionCVE.org

A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named __proto__ and the application accesses req.headersDistinct.

When this occurs, dest["__proto__"] resolves to Object.prototype rather than undefined, causing .push() to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by error event listeners, meaning it cannot be handled without wrapping every req.headersDistinct access in a try/catch.

  • This vulnerability affects all Node.js HTTP servers on 20.x, 22.x, 24.x, and v25.x

AnalysisAI

Uncaught TypeError in Node.js HTTP server crashes applications when clients send specially crafted __proto__ headers and code accesses req.headersDistinct. The exception occurs synchronously in a property getter, bypassing standard error handling mechanisms and causing immediate service disruption. Affects Node.js versions 20.x, 22.x, 24.x, and 25.x with CVSS 7.5 (High). EPSS data not available; no public exploit identified at time of analysis, though exploitation requires only sending a malformed HTTP header with no authentication (CVSS:3.0/AV:N/AC:L/PR:N/UI:N).

Technical ContextAI

This vulnerability exploits JavaScript's prototype pollution mechanics in Node.js's HTTP header parsing implementation. When a client sends an HTTP request with a header named __proto__ (JavaScript's internal prototype property), and server code accesses the req.headersDistinct getter, the internal implementation attempts to call .push() on dest['__proto__']. Instead of resolving to undefined or a header array, this resolves to Object.prototype, causing a TypeError when attempting array operations on the base Object prototype. The exception is thrown synchronously within the getter's execution context, making it impossible to catch with async error handlers or HTTP server error event listeners. Applications must wrap every req.headersDistinct access in try/catch blocks to prevent crashes. The affected CPE (cpe:2.3:a:nodejs:node) covers the Node.js runtime across all major Active and Maintenance LTS branches currently in production use.

RemediationAI

Apply vendor-released security updates immediately. Upgrade to patched Node.js versions as specified in the official Node.js security release announcement at https://nodejs.org/en/blog/vulnerability/march-2026-security-releases for each affected branch (20.x, 22.x, 24.x, 25.x). Debian users should apply security update DSA-6183-1 per https://security-tracker.debian.org/tracker/dsa-6183-1. Ubuntu users should monitor their security tracker for release-specific patches across the 8 tracked releases. As an interim workaround until patches are deployed, audit application code to identify all instances where req.headersDistinct is accessed and wrap those accesses in try/catch blocks to prevent uncaught exceptions from crashing the process. Consider implementing request filtering or reverse proxy rules to reject requests containing __proto__ headers at the edge, though this may impact legitimate use cases. Monitor application logs for TypeError exceptions related to header processing as potential exploitation indicators.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Vendor StatusVendor

Ubuntu

Priority: Medium
nodejs
Release Status Version
trusty needs-triage -
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
questing needs-triage -
upstream released 22.22.2+dfsg+~cs22.19.15-1

Debian

nodejs
Release Status Fixed Version Urgency
bullseye vulnerable 12.22.12~dfsg-1~deb11u4 -
bullseye (security) vulnerable 12.22.12~dfsg-1~deb11u7 -
bookworm, bookworm (security) vulnerable 18.20.4+dfsg-1~deb12u1 -
trixie fixed 20.19.2+dfsg-1+deb13u2 -
trixie (security) fixed 20.19.2+dfsg-1+deb13u2 -
forky vulnerable 22.22.1+dfsg+~cs22.19.15-1 -
sid fixed 22.22.2+dfsg+~cs22.19.15-1 -
(unstable) fixed 22.22.2+dfsg+~cs22.19.15-1 -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 12 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Web and Scripting 15 SP7 Fixed
SUSE Linux Enterprise Module for Web and Scripting 15 SP7 Fixed

Share

CVE-2026-21710 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy