You are currently viewing Node.js Security Bulletin: CVE-2026-21637 and Other Fixes Explained

Node.js Security Bulletin: CVE-2026-21637 and Other Fixes Explained

  • Post author:
  • Reading time:4 mins read

The Node.js project has recently released a series of security updates to address multiple vulnerabilities across its active release lines. These updates span versions 20.x, 22.x, 24.x, and 25.x, and include fixes for issues ranging from high to low severity. Among the most critical is CVE-2026-21637, which required further remediation after an incomplete initial fix. This blog post summarizes the key vulnerabilities addressed in this update and their potential impact.

High Severity Vulnerabilities

CVE-2026-21637: Incomplete TLS Error Handling

This vulnerability stems from improper exception handling within the TLS layer, specifically in the loadSNI() function of _tls_wrap.js. The lack of a try/catch mechanism left SNICallback executions susceptible to unhandled synchronous exceptions. When unexpected input is processed, the callback throws an error that bypasses TLS protection, leading to an uncaught exception. This can crash the Node.js process, resulting in a potential Remote Denial of Service (DoS). All Node.js versions that received the initial CVE-2026-21637 patch (20.x, 22.x, 24.x, and 25.x) were affected.

CVE-2026-21710: HTTP Request Processing Error

This critical issue affects HTTP request processing. A specially crafted request containing a proto header can trigger an uncaught TypeError when applications access req.headersDistinct. The vulnerability occurs because dest["proto"] resolves to Object.prototype instead of undefined, causing a .push() operation on a non-array object. Because the error is thrown within a property getter, it cannot be intercepted by standard error handlers. All Node.js HTTP servers running versions 20.x through 25.x are affected.

Medium Severity Vulnerabilities

  • CVE-2026-21711: A bypass in the Node.js Permission Model allows Unix Domain Socket (UDS) servers to bind and listen without the --allow-net flag. This enables unauthorized inter-process communication, even when network access is restricted.
  • CVE-2026-21712: A malformed internationalized domain name passed to url.format() can trigger an assertion failure in node_url.cc, crashing the process.
  • CVE-2026-21713: A timing side-channel vulnerability in HMAC verification uses memcmp() instead of a constant-time comparison, potentially leaking timing data that could be exploited to infer MAC values.
  • CVE-2026-21714: A memory leak in HTTP/2 servers occurs when WINDOW_UPDATE frames are abused, leading to resource exhaustion. The Http2Session object is not cleaned up even after a GOAWAY frame is issued.
  • CVE-2026-21717: A HashDoS vulnerability in the V8 engine allows attackers to generate predictable hash collisions using integer-like strings, degrading performance, especially in endpoints processing untrusted JSON input.

Low Severity Vulnerabilities

  • CVE-2026-21715: The fs.realpathSync.native() method bypasses read permission checks, allowing file existence disclosure even under restricted filesystem permissions.
  • CVE-2026-21716: An incomplete patch for CVE-2024-36137 leaves FileHandle.chmod() and FileHandle.chown() in the promises API without proper permission enforcement, enabling unauthorized modifications.

Tactics, Techniques, and Procedures (TTPs)

Attackers can exploit these vulnerabilities using the following tactics and techniques:

  • TA0040 – Impact: Disrupting service availability through endpoint denial of service attacks.
  • TA0004 – Defense Evasion: Exploiting vulnerabilities to bypass security measures and escalate privileges.
  • T1499 – Endpoint Denial of Service: Causing a denial of service by crashing the Node.js process.
  • T1068 – Exploitation for Privilege Escalation: Leveraging vulnerabilities to gain elevated privileges or bypass intended restrictions.

Affected Versions and Mitigation

The impact of these vulnerabilities varies slightly across Node.js versions:

  • Node.js 25.x: 2 high, 5 medium, 2 low severity vulnerabilities
  • Node.js 24.x: 2 high, 4 medium, 2 low severity vulnerabilities
  • Node.js 22.x: 2 high, 4 medium, 2 low severity vulnerabilities
  • Node.js 20.x: 2 high, 4 medium, 2 low severity vulnerabilities

To address these issues, the following updated versions have been released:

  • Node.js v20.20.2
  • Node.js v22.22.2
  • Node.js v24.14.1
  • Node.js v25.8.2

It is highly recommended that all Node.js users update to these patched versions to mitigate the identified security risks.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.