EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the Node.js Long-Term Support (LTS) branch, specifically version 20.20.2 'Iron', and earlier versions 22.x, 24.x, and 25.x. The vulnerabilities include remote process crashes, memory leaks, denial-of-service (DoS) attacks, and hash collisions. These issues can be triggered remotely without authentication, posing a significant risk to Node.js applications. The business risk and impact of these vulnerabilities are severe, as they can lead to data loss, system compromise, and reputational damage.
CVE-2026-21637 with a CVSS score of 9.0 – This high-severity vulnerability involves a TLS SNICallback flaw that leaves Node.js TLS error handling unprotected against synchronous exceptions. A malicious client can send an unexpected servername value, causing the Node.js process to crash.
CVE-2026-21714 with a CVSS score of 7.5 – This medium-severity vulnerability affects Node.js HTTP/2 servers and involves unhandled NGHTTP2_ERR_FLOW_CONTROL error codes. A malicious client can send malformed WINDOW_UPDATE frames on stream 0, triggering a memory leak in the server process.
CVE-2026-21717 with a CVSS score of 7.2 – This medium-severity vulnerability targets V8's internal string hashing mechanism, which hashes integer-like strings to their numeric values. An adversary can significantly degrade the performance of the Node.js process in a classic HashDoS attack.
CVE-2026-21713 with a CVSS score of 7.5 – This medium-severity vulnerability introduces a timing side-channel in Node.js Web Cryptography HMAC verification. The flaw arises from using a non-constant-time memcmp() comparison when validating user-provided HMAC signatures, leaking timing information proportional to the number of matching bytes.
CVE-2026-21710 with a CVSS score of 5.5 – This medium-severity vulnerability affects Node.js HTTP headers and involves a prototype pollution vector. A malicious client can pollute HTTP headers using a null-prototype object for headersDistinct and trailersDistinct fields.
CVE-2026-21716 with a CVSS score of 4.3 – This low-severity vulnerability involves permission model bypasses in lib/fs/promises. Code running under --permission with restricted --allow-fs-read can use fs.realpathSync.native() to disclose file existence and resolve symlink paths outside permitted directories.
CVE-2026-21715 with a CVSS score of 4.3 – This low-severity vulnerability involves permission model bypasses. Code running under --permission with restricted --allow-fs-read can use fs.realpathSync.native() to disclose file existence and resolve symlink paths outside permitted directories.
The identified vulnerabilities pose a significant risk to Node.js applications, particularly those hosting publicly accessible TLS servers. It is essential to upgrade immediately to the patched releases to prevent potential data loss, system compromise, and reputational damage. Environments hosting publicly accessible TLS servers should treat this upgrade as a critical priority.
RECOMMENDATION:
We recommend you to update Node.js to version 20.20.2, 22.22.2, 24.14.1, or 25.8.2.
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/node-js-patches-multiple-vulnerabilities/