The Node.js project has issued a series of security updates addressing multiple vulnerabilities across its active release lines. The update covers versions in the 20.x, 22.x, 24.x, and 25.x branches, and includes fixes for several high, medium, and low severity issues. Among the most notable concerns is CVE-2026-21637, which appears prominently in the release due to its incomplete nature prior to remediation.
The March 2026 security rollout includes updates to dependencies such as undici (versions 6.24.1 and 7.24.4) for supported release lines. A key issue addressed is tied to CVE-2026-21637, which exposed weaknesses in TLS error handling.
Incomplete Fix for CVE-2026-21637 Leads to Remote DoS Risk
The vulnerability CVE-2026-21637 stems from improper exception handling in the TLS layer. Specifically, the loadSNI() function in _tls_wrap.js lacked a try/catch mechanism. This oversight left SNICallback executions vulnerable to unhandled synchronous exceptions.
When unexpected input is passed, and the callback throws an error, the exception bypasses TLS protection and results in an uncaught exception. In practical terms, this can crash into a Node.js process, leading to a potential Remote Denial of Service (DoS). Notably, similar callback pathways like ALPN and PSK had already been secured under CVE-2026-21637, making this an incomplete fix of the same vulnerability.
This issue impacts all Node.js versions that previously received the CVE-2026-21637 patch, namely 20.x, 22.x, 24.x, and 25.x, particularly in environments where SNICallback may fail on malformed server name inputs. The vulnerability was reported by mbarbs and resolved by mcollina.
Additional High Severity Vulnerability in Node.js HTTP Handling
Another critical issue, tracked as CVE-2026-21710, affects HTTP request processing. A specially crafted request containing a proto header can trigger an uncaught TypeError when applications access req.headersDistinct.
This occurs because dest[“proto”] resolves to Object.prototype instead of undefined, causing a .push() operation on a non-array object. Since the error is thrown within a property getter, it cannot be intercepted by standard error handlers.
This leaves applications vulnerable unless developers explicitly wrap each access in try/catch blocks. All Node.js HTTP servers running versions 20.x through 25.x are affected. The issue was reported by yushengchen and fixed by mcollina.
Medium Severity Issues Affecting Node.js Runtime and Security
Several medium-severity vulnerabilities were also addressed in this release:
- CVE-2026-21711: A bypass in the Node.js Permission Model allows Unix Domain Socket (UDS) servers to bind and listen without the –allow-net flag. This flaw enables unauthorized inter-process communication even when network access is intended to be restricted. It affects version 25.x and was reported by xavlimsg.
- CVE-2026-21712: A malformed internationalized domain name passed to url.format() can trigger an assertion failure in node_url.cc, crashing the process. This impacts versions 24.x and 25.x.
- CVE-2026-21713: A timing side-channel vulnerability in HMAC verification uses memcmp() instead of a constant-time comparison. This can leak timing data that might be exploited to infer MAC values under specific conditions.
- CVE-2026-21714: A memory leak in HTTP/2 servers occurs when WINDOW_UPDATE frames are abused, leading to resource exhaustion. The Http2Session object is not cleaned up even after a GOAWAY frame is issued.
- CVE-2026-21717: A HashDoS vulnerability in the V8 engine allows attackers to generate predictable hash collisions using integer-like strings. This can degrade performance, especially in endpoints processing untrusted JSON input.
Low Severity Vulnerabilities in Node.js Permission Model
Two lower-severity issues were also identified:
- CVE-2026-21715: The fs.realpathSync.native() method bypasses read permission checks, allowing file existence disclosure even under restricted filesystem permissions.
- CVE-2026-21716: An incomplete patch for CVE-2024-36137 leaves FileHandle.chmod() and FileHandle.chown() in the promises API without proper permission enforcement, enabling unauthorized modifications.
Impact and Affected Node.js Versions
The impact varies slightly across versions:
- Node.js 25.x: 2 high, 5 medium, 2 low severity vulnerabilities
- Node.js 24.x: 2 high, 4 medium, 2 low severity vulnerabilities
- Node.js 22.x: 2 high, 4 medium, 2 low severity vulnerabilities
- Node.js 20.x: 2 high, 4 medium, 2 low severity vulnerabilities
The project released updated versions to address these issues:
- Node.js v20.20.2
- Node.js v22.22.2
- Node.js v24.14.1
- Node.js v25.8.2
