Node.js Patches Critical DoS and Process Crash Vulnerabilities
Key Takeaways Node.js has released critical security updates for its Long-Term Support (LTS) and current branches. Seven vulnerabilities have been addressed, including critical denial-of-service...
Key Takeaways
- Node.js has released critical security updates for its Long-Term Support (LTS) and current branches.
- Seven vulnerabilities have been addressed, including critical denial-of-service (DoS) and process crash flaws.
- Affected components include TLS, HTTP/2, V8, and the Web Cryptography API.
- Immediate upgrades are crucial, especially for servers exposed to the internet, to mitigate remote exploitation risks.
Node.js Addresses Critical DoS and Process Crash Vulnerabilities in Latest Security Release
On March 24, 2026, the Node.js project rolled out a significant security update for its Long-Term Support (LTS) branch, with version 20.20.2, codenamed ‘Iron,’ leading the charge as a crucial security release. This update is vital, addressing seven vulnerabilities that span various core components of the Node.js runtime environment.
Table Of Content
- Key Takeaways
- Node.js Addresses Critical DoS and Process Crash Vulnerabilities in Latest Security Release
- Critical TLS SNICallback Flaw Leads to Remote Process Crash
- HTTP/2 Flow Control Error Triggers Memory Leak and DoS
- V8 HashDoS via Array Index Collision
- Cryptographic Timing Oracle in HMAC Verification
- Permission Model Bypasses and Other Fixes
- Vulnerability Summary
- What You Should Do
The patches tackle issues ranging from error handling in TLS and HTTP/2 flow control to cryptographic timing leaks, potential permission model bypasses, and a weakness in V8’s hash-table implementation. Several of these flaws present a severe risk as they can be triggered remotely without requiring authentication.
Critical TLS SNICallback Flaw Leads to Remote Process Crash
The most pressing vulnerability identified in this release is CVE-2026-21637, categorized as High severity. This flaw represents an incomplete patch for a previously identified TLS vulnerability bearing the same identifier. It stems from an oversight in Node.js’s TLS error handling, specifically leaving SNICallback invocations exposed to synchronous exceptions. While similar ALPN and PSK callbacks were previously secured, SNICallback was left unprotected.
The vulnerability manifests when a TLS client transmits an unexpected servername value. This action causes an exception to be thrown, which bypasses standard TLS error handlers and propagates as an uncaught exception, leading to an immediate crash of the Node.js process. Matteo Collina contributed the fix, which involves wrapping SNICallback invocations within a try/catch block. Any TLS server operating on Node.js versions 20.x, 22.x, 24.x, or 25.x where SNICallback is configured to potentially throw exceptions is susceptible.
HTTP/2 Flow Control Error Triggers Memory Leak and DoS
Another significant issue is CVE-2026-21714, rated Medium severity. This vulnerability impacts Node.js HTTP/2 servers and involves the inadequate handling of NGHTTP2_ERR_FLOW_CONTROL error codes. A malicious client can exploit this by sending malformed WINDOW_UPDATE frames on stream 0. Repeated connections leveraging this technique can trigger a memory leak within the server process.
If left unaddressed, this persistent memory leak can lead to resource exhaustion, ultimately resulting in a denial-of-service condition. RafaelGSS provided the patch, which introduces explicit handling for this specific nghttp2 error code within the Node.js source layer.
V8 HashDoS via Array Index Collision
CVE-2026-21717, also rated Medium, targets the V8 JavaScript engine’s internal string hashing mechanism. V8 hashes integer-like strings to their numeric values, which makes hash collisions predictably trivial. An attacker can craft a payload, often through functions like JSON.parse() on attacker-controlled input, designed to force numerous such collisions.
This technique can severely degrade the performance of the Node.js process, leading to a classic HashDoS attack. Joyee Cheung contributed the fix, which has been applied across the dependencies, build, and test layers of the Node.js project.
Cryptographic Timing Oracle in HMAC Verification
A Medium-severity timing side-channel vulnerability, CVE-2026-21713, has been identified in Node.js Web Cryptography HMAC verification. The flaw arises from the use of a non-constant-time memcmp() function when validating user-provided HMAC signatures. This implementation detail leaks timing information proportional to the number of bytes that match during the comparison.
Under precise measurement conditions, this timing disparity can serve as an oracle, potentially allowing an attacker to infer HMAC values. Filip Skokan resolved this issue by replacing the vulnerable comparison with a timing-safe primitive already available within the codebase.
Permission Model Bypasses and Other Fixes
Two low-severity permission model bypasses were also addressed. CVE-2026-21715 allowed code executed with --permission and restricted --allow-fs-read to use fs.realpathSync.native(). This could disclose file existence and resolve symlink paths outside of permitted directories. CVE-2026-21716 extended coverage to lib/fs/promises, which similarly lacked proper permission enforcement. Both were fixed by RafaelGSS. Additionally, CVE-2026-21710 addresses an HTTP header prototype pollution vector by ensuring that headersDistinct and trailersDistinct fields utilize a null-prototype object.
Vulnerability Summary
| CVE | Severity | Component | Impact |
|---|---|---|---|
| CVE-2026-21637 | High | TLS / SNICallback | Remote process crash |
| CVE-2026-21717 | Medium | V8 / JSON parsing | HashDoS / CPU exhaustion |
| CVE-2026-21713 | Medium | Web Crypto / HMAC | Timing oracle / MAC forgery |
| CVE-2026-21714 | Medium | HTTP/2 / nghttp2 | Memory leak / DoS |
| CVE-2026-21710 | Medium | HTTP headers | Prototype pollution |
| CVE-2026-21716 | Low | Permission Model (fs/promises) | Filesystem path disclosure |
| CVE-2026-21715 | Low | Permission Model (realpath) | Filesystem path disclosure |
What You Should Do
- Upgrade Immediately: Developers and system administrators are strongly advised to upgrade to the patched Node.js releases without delay. The recommended versions are v20.20.2, v22.22.2, v24.14.1, or v25.8.2.
- Prioritize Public-Facing Servers: Given that CVE-2026-21637 can be exploited remotely without authentication and directly causes process termination, environments hosting publicly accessible TLS servers should consider this upgrade a critical priority.
- Download from Official Channels: Installers and binaries for Windows, macOS, Linux (x64, ARM, PPC, s390x), and AIX platforms are available through the official Node.js distribution channels.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.