Node.js Strengthens Security with Critical Updates, Addressing DoS Vulnerabilities

The Node.js project has recently rolled out a significant series of security updates aimed at addressing multiple vulnerabilities across its active release lines. This update encompasses versions 20.x, 22.x, 24.x, and 25.x, introducing fixes for various high, medium, and low severity issues. Among the most pressing concerns is CVE-2026-21637, which has gained attention due to its incomplete resolution prior to this update.

Overview of the March 2026 Security Rollout

The March 2026 security rollout includes updates to critical dependencies, such as undici versions 6.24.1 and 7.24.4, for all supported release lines. A key issue being addressed is linked to CVE-2026-21637, which has exposed vulnerabilities in TLS error handling mechanisms. This oversight has raised alarms among cybersecurity professionals, as it could lead to significant security risks.

Incomplete Fix for CVE-2026-21637 Leads to Remote DoS Risk

CVE-2026-21637 arises from improper exception handling within the TLS layer. Specifically, the loadSNI() function in _tls_wrap.js lacked a necessary try/catch mechanism. This deficiency has rendered SNICallback executions vulnerable to unhandled synchronous exceptions. When unexpected input is processed, and the callback throws an error, the exception circumvents TLS protection, resulting in an uncaught exception. This flaw can potentially crash a Node.js process, leading to a Remote Denial of Service (DoS) scenario.

Notably, similar callback pathways, such as ALPN and PSK, had already been secured under CVE-2026-21637, highlighting the incomplete nature of the fix. This vulnerability affects all Node.js versions that previously received the CVE-2026-21637 patch, particularly in environments where SNICallback may fail due to malformed server name inputs. The vulnerability was reported by mbarbs and resolved by mcollina.

Additional High Severity Vulnerability in Node.js HTTP Handling

Another critical issue, tracked as CVE-2026-21710, impacts HTTP request processing. A specially crafted request containing a proto header can trigger an uncaught TypeError when applications attempt to access req.headersDistinct. This occurs because dest["proto"] resolves to Object.prototype rather than undefined, leading to a .push() operation on a non-array object. Since this error is thrown within a property getter, it cannot be intercepted by standard error handlers, leaving applications vulnerable unless developers explicitly wrap each access in try/catch blocks. All Node.js HTTP servers running versions 20.x through 25.x are affected. This issue was reported by yushengchen and fixed by mcollina.

Medium Severity Issues Affecting Node.js Runtime and Security

The recent updates also address several medium-severity vulnerabilities:

• CVE-2026-21711: A bypass in the Node.js Permission Model allows Unix Domain Socket (UDS) servers to bind and listen without the –allow-net flag. This flaw enables unauthorized inter-process communication, even when network access is intended to be restricted. This issue affects version 25.x and was reported by xavlimsg.

• CVE-2026-21712: A malformed internationalized domain name passed to url.format() can trigger an assertion failure in node_url.cc, resulting in a process crash. This vulnerability impacts versions 24.x and 25.x.

• CVE-2026-21713: A timing side-channel vulnerability in HMAC verification utilizes memcmp() instead of a constant-time comparison. This can leak timing data that could be exploited to infer MAC values under specific conditions.

• CVE-2026-21714: A memory leak in HTTP/2 servers occurs when WINDOW_UPDATE frames are abused, leading to resource exhaustion. The Http2Session object is not cleaned up even after a GOAWAY frame is issued.

• CVE-2026-21717: A HashDoS vulnerability in the V8 engine allows attackers to generate predictable hash collisions using integer-like strings, potentially degrading performance, especially in endpoints processing untrusted JSON input.

Low Severity Vulnerabilities in Node.js Permission Model

Two lower-severity issues have also been identified:

• CVE-2026-21715: The fs.realpathSync.native() method bypasses read permission checks, allowing file existence disclosure even under restricted filesystem permissions.

• CVE-2026-21716: An incomplete patch for CVE-2024-36137 leaves FileHandle.chmod() and FileHandle.chown() in the promises API without proper permission enforcement, enabling unauthorized modifications.

Impact and Affected Node.js Versions

The impact of these vulnerabilities varies slightly across different versions:

• Node.js 25.x: 2 high, 5 medium, 2 low severity vulnerabilities.
• Node.js 24.x: 2 high, 4 medium, 2 low severity vulnerabilities.
• Node.js 22.x: 2 high, 4 medium, 2 low severity vulnerabilities.
• Node.js 20.x: 2 high, 4 medium, 2 low severity vulnerabilities.

To address these issues, the project has released updated versions:

• Node.js v20.20.2
• Node.js v22.22.2
• Node.js v24.14.1
• Node.js v25.8.2

For further details on these vulnerabilities, refer to the reporting by thecyberexpress.com.

For the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East: Middle East