Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AI Used in Ticketmaster Attack to Score Free Tickets
July 3, 2026
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
Home/CyberSecurity News/Node.js Patches Critical DoS and Process Crash Vulnerabilities
CyberSecurity News

Node.js Patches Critical DoS and Process Crash Vulnerabilities

Key Takeaways Node.js has released critical security updates for its Long-Term Support (LTS) and current branches. Seven vulnerabilities have been addressed, including critical denial-of-service...

David kimber
David kimber
March 25, 2026 4 Min Read
65 0

Key Takeaways

  • Node.js has released critical security updates for its Long-Term Support (LTS) and current branches.
  • Seven vulnerabilities have been addressed, including critical denial-of-service (DoS) and process crash flaws.
  • Affected components include TLS, HTTP/2, V8, and the Web Cryptography API.
  • Immediate upgrades are crucial, especially for servers exposed to the internet, to mitigate remote exploitation risks.

Node.js Addresses Critical DoS and Process Crash Vulnerabilities in Latest Security Release

On March 24, 2026, the Node.js project rolled out a significant security update for its Long-Term Support (LTS) branch, with version 20.20.2, codenamed ‘Iron,’ leading the charge as a crucial security release. This update is vital, addressing seven vulnerabilities that span various core components of the Node.js runtime environment.

Table Of Content

  • Key Takeaways
  • Node.js Addresses Critical DoS and Process Crash Vulnerabilities in Latest Security Release
  • Critical TLS SNICallback Flaw Leads to Remote Process Crash
  • HTTP/2 Flow Control Error Triggers Memory Leak and DoS
  • V8 HashDoS via Array Index Collision
  • Cryptographic Timing Oracle in HMAC Verification
  • Permission Model Bypasses and Other Fixes
  • Vulnerability Summary
  • What You Should Do

The patches tackle issues ranging from error handling in TLS and HTTP/2 flow control to cryptographic timing leaks, potential permission model bypasses, and a weakness in V8’s hash-table implementation. Several of these flaws present a severe risk as they can be triggered remotely without requiring authentication.

Critical TLS SNICallback Flaw Leads to Remote Process Crash

The most pressing vulnerability identified in this release is CVE-2026-21637, categorized as High severity. This flaw represents an incomplete patch for a previously identified TLS vulnerability bearing the same identifier. It stems from an oversight in Node.js’s TLS error handling, specifically leaving SNICallback invocations exposed to synchronous exceptions. While similar ALPN and PSK callbacks were previously secured, SNICallback was left unprotected.

The vulnerability manifests when a TLS client transmits an unexpected servername value. This action causes an exception to be thrown, which bypasses standard TLS error handlers and propagates as an uncaught exception, leading to an immediate crash of the Node.js process. Matteo Collina contributed the fix, which involves wrapping SNICallback invocations within a try/catch block. Any TLS server operating on Node.js versions 20.x, 22.x, 24.x, or 25.x where SNICallback is configured to potentially throw exceptions is susceptible.

HTTP/2 Flow Control Error Triggers Memory Leak and DoS

Another significant issue is CVE-2026-21714, rated Medium severity. This vulnerability impacts Node.js HTTP/2 servers and involves the inadequate handling of NGHTTP2_ERR_FLOW_CONTROL error codes. A malicious client can exploit this by sending malformed WINDOW_UPDATE frames on stream 0. Repeated connections leveraging this technique can trigger a memory leak within the server process.

If left unaddressed, this persistent memory leak can lead to resource exhaustion, ultimately resulting in a denial-of-service condition. RafaelGSS provided the patch, which introduces explicit handling for this specific nghttp2 error code within the Node.js source layer.

V8 HashDoS via Array Index Collision

CVE-2026-21717, also rated Medium, targets the V8 JavaScript engine’s internal string hashing mechanism. V8 hashes integer-like strings to their numeric values, which makes hash collisions predictably trivial. An attacker can craft a payload, often through functions like JSON.parse() on attacker-controlled input, designed to force numerous such collisions.

This technique can severely degrade the performance of the Node.js process, leading to a classic HashDoS attack. Joyee Cheung contributed the fix, which has been applied across the dependencies, build, and test layers of the Node.js project.

Cryptographic Timing Oracle in HMAC Verification

A Medium-severity timing side-channel vulnerability, CVE-2026-21713, has been identified in Node.js Web Cryptography HMAC verification. The flaw arises from the use of a non-constant-time memcmp() function when validating user-provided HMAC signatures. This implementation detail leaks timing information proportional to the number of bytes that match during the comparison.

Under precise measurement conditions, this timing disparity can serve as an oracle, potentially allowing an attacker to infer HMAC values. Filip Skokan resolved this issue by replacing the vulnerable comparison with a timing-safe primitive already available within the codebase.

Permission Model Bypasses and Other Fixes

Two low-severity permission model bypasses were also addressed. CVE-2026-21715 allowed code executed with --permission and restricted --allow-fs-read to use fs.realpathSync.native(). This could disclose file existence and resolve symlink paths outside of permitted directories. CVE-2026-21716 extended coverage to lib/fs/promises, which similarly lacked proper permission enforcement. Both were fixed by RafaelGSS. Additionally, CVE-2026-21710 addresses an HTTP header prototype pollution vector by ensuring that headersDistinct and trailersDistinct fields utilize a null-prototype object.

Vulnerability Summary

CVE Severity Component Impact
CVE-2026-21637 High TLS / SNICallback Remote process crash
CVE-2026-21717 Medium V8 / JSON parsing HashDoS / CPU exhaustion
CVE-2026-21713 Medium Web Crypto / HMAC Timing oracle / MAC forgery
CVE-2026-21714 Medium HTTP/2 / nghttp2 Memory leak / DoS
CVE-2026-21710 Medium HTTP headers Prototype pollution
CVE-2026-21716 Low Permission Model (fs/promises) Filesystem path disclosure
CVE-2026-21715 Low Permission Model (realpath) Filesystem path disclosure

What You Should Do

  • Upgrade Immediately: Developers and system administrators are strongly advised to upgrade to the patched Node.js releases without delay. The recommended versions are v20.20.2, v22.22.2, v24.14.1, or v25.8.2.
  • Prioritize Public-Facing Servers: Given that CVE-2026-21637 can be exploited remotely without authentication and directly causes process termination, environments hosting publicly accessible TLS servers should consider this upgrade a critical priority.
  • Download from Official Channels: Installers and binaries for Windows, macOS, Linux (x64, ARM, PPC, s390x), and AIX platforms are available through the official Node.js distribution channels.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEPatchSecurityVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Firefox 119.0 Released, Adds Free VPN With 50GB Monthly Limit

Next Post

macOS Security Gaps: How SOC Teams Close Them in 2026

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us