Node.js Patches Multiple Vulnerabilities That Enable DoS Attacks and Process Crashes

Home Cyber Security News Node.js Patches Multiple Vulnerabilities That Enable DoS Attacks and Process Crashes The Node.js project released a critical security update on March 24, 2026, for the Long-Term Support (LTS) branch, designating version 20.20.2 ‘Iron’ as a security release. The update resolves seven tracked vulnerabilities spanning TLS error handling, HTTP/2 flow control, cryptographic timing leaks, permission model bypasses, and a V8 hash-table weakness, several of which can be triggered remotely without authentication. Critical TLS SNICallback Flaw Enables Remote Process Crash The most severe issue in this batch is CVE-2026-21637 (rated High), an incomplete fix of a prior TLS vulnerability by the same identifier. A flaw in Node.js TLS error handling leaves SNICallback invocations unprotected against synchronous exceptions, while equivalent ALPN and PSK callbacks were already addressed earlier. When a TLS client sends an unexpected servername value, the thrown exception bypasses all TLS error handlers and propagates as an uncaught exception, crashing the Node.js process outright. The fix, contributed by Matteo Collina, wraps SNICallback invocations in a try/catch block. Any TLS server operating on versions 20.x, 22.x, 24.x, or 25.x where SNICallback may throw is affected. HTTP/2 Flow Control Error Triggers Memory Leak and DoS CVE-2026-21714 (Medium) affects Node.js HTTP/2 servers and involves unhandled NGHTTP2_ERR_FLOW_CONTROL error codes. A malicious client can send malformed WINDOW_UPDATE frames on stream 0, triggering a memory leak in the server process over repeated connections. Left unaddressed, this leads to resource exhaustion and eventually to denial-of-service. RafaelGSS authored the fix, adding explicit handling for this nghttp2 error code in the Node.js source layer. V8 HashDoS via Array Index Collision CVE-2026-21717 (Medium) targets V8’s internal string hashing mechanism, which hashes integer-like strings to their numeric values — making hash collisions trivially predictable. By crafting a payload that forces many such collisions, most commonly via JSON.parse() on attacker-controlled input, an adversary can significantly degrade the performance of the Node.js process in a classic HashDoS attack. This fix, contributed by Joyee Cheung, was applied across the deps, build, and test layers. Cryptographic Timing Oracle in HMAC Verification CVE-2026-21713 (Medium) introduces a timing side-channel in Node.js Web Cryptography HMAC verification. The flaw arises from using a non-constant-time memcmp() comparison when validating user-provided HMAC signatures, leaking timing information proportional to the number of matching bytes. Under high-resolution measurement conditions, this can serve as a timing oracle to infer HMAC values. Filip Skokan resolved this by replacing the comparison with a timing-safe primitive already available in the codebase. Permission Model Bypasses Two low-severity permission model bypasses were also patched. CVE-2026-21715 allows code running under --permission with restricted --allow-fs-read to use fs.realpathSync.native() to disclose file existence and resolve symlink paths outside permitted directories. CVE-2026-21716 extends coverage to lib/fs/promises, which similarly lacked permission enforcement. Both were fixed by RafaelGSS. Additionally, CVE-2026-21710 addresses a HTTP header prototype pollution vector by using a null-prototype object for headersDistinct and trailersDistinct fields. Vulnerability Summary CVE Severity Component Impact CVE-2026-21637 High TLS / SNICallback Remote process crash CVE-2026-21717 Medium V8 / JSON parsing HashDoS / CPU exhaustion CVE-2026-21713 Medium Web Crypto / HMAC Timing oracle / MAC forgery CVE-2026-21714 Medium HTTP/2 / nghttp2 Memory leak / DoS CVE-2026-21710 Medium HTTP headers Prototype pollution CVE-2026-21716 Low Permission Model (fs/promises) Filesystem path disclosure CVE-2026-21715 Low Permission Model (realpath) Filesystem path disclosure Developers and system administrators are urged to upgrade immediately to the patched releases: v20.20.2, v22.22.2, v24.14.1, or v25.8.2. Given that CVE-2026-21637 requires no authentication and directly causes process termination, environments hosting publicly accessible TLS servers should treat this upgrade as a critical priority. Installers and binaries are available across Windows, macOS, Linux (x64, ARM, PPC, s390x), and AIX platforms via the official Node.js distribution channel. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News New Research Maps How Infostealer Infections Turn Into Dark Web Exposure in 48 Hours Cyber Security News AI-Assisted ‘OpenClaw Trap’ Campaign Uses Trojanized GitHub Repos to Target Developers and Gamers Cyber Security News F5 NGINX Plus and Open Source Vulnerability Allow Attackers to Execute Code Using MP4 file Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026