CVE-2026-21710

| EUVD-2026-17170 HIGH
2026-03-30 hackerone
7.5
CVSS 3.0
Share

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 30, 2026 - 19:30 vuln.today
EUVD ID Assigned
Mar 30, 2026 - 19:30 euvd
EUVD-2026-17170
CVE Published
Mar 30, 2026 - 19:07 nvd
HIGH 7.5

Tags

Node.js Denial Of Service Redhat

Description

A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**

Analysis

Uncaught TypeError in Node.js HTTP server crashes applications when clients send specially crafted `__proto__` headers and code accesses `req.headersDistinct`. The exception occurs synchronously in a property getter, bypassing standard error handling mechanisms and causing immediate service disruption. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all Node.js services running versions 20.x, 22.x, 24.x, or 25.x and implement request filtering at load balancer or WAF layer to reject HTTP requests containing '__proto__' in header names. Within 7 days: Deploy reverse proxy (nginx/HAProxy) with header validation rules blocking malformed headers before reaching Node.js. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +38
POC: 0

Vendor Status

Ubuntu

Priority: Medium
nodejs
Release Status Version
trusty needs-triage -
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
questing needs-triage -
upstream released 22.22.2+dfsg+~cs22.19.15-1

Debian

nodejs
Release Status Fixed Version Urgency
bullseye vulnerable 12.22.12~dfsg-1~deb11u4 -
bullseye (security) vulnerable 12.22.12~dfsg-1~deb11u7 -
bookworm, bookworm (security) vulnerable 18.20.4+dfsg-1~deb12u1 -
trixie fixed 20.19.2+dfsg-1+deb13u2 -
trixie (security) fixed 20.19.2+dfsg-1+deb13u2 -
forky vulnerable 22.22.1+dfsg+~cs22.19.15-1 -
sid fixed 22.22.2+dfsg+~cs22.19.15-1 -
(unstable) fixed 22.22.2+dfsg+~cs22.19.15-1 -
DSA-6183-1

Share

CVE-2026-21710 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy