Node.js released security updates across its 20.x, 22.x, 24.x, and 25.x release lines to address multiple high-, medium-, and low-severity vulnerabilities and updated dependencies like undici. A notable issue is an incomplete fix for CVE-2026-21637 that left TLS SNICallback exception handling vulnerable to uncaught exceptions and potential remote DoS, alongside other HTTP and permission-model fixes. #CVE-2026-21637 #Node.js
Keypoints
- Security updates were released for Node.js 20.x, 22.x, 24.x, and 25.x to fix multiple vulnerabilities.
- An incomplete patch for CVE-2026-21637 left loadSNI() without try/catch, allowing SNICallback exceptions to cause remote DoS.
- CVE-2026-21710 allows a crafted HTTP request with a proto header to trigger an uncaught TypeError when accessing req.headersDistinct.
- Several medium-severity issues were fixed, including UDS permission bypass (CVE-2026-21711), IDN assertion crash (CVE-2026-21712), HMAC timing leak (CVE-2026-21713), HTTP/2 memory leak (CVE-2026-21714), and V8 HashDoS (CVE-2026-21717).
- Low-severity permission-model flaws (CVE-2026-21715, CVE-2026-21716) and dependency updates to undici were addressed in v20.20.2, v22.22.2, v24.14.1, and v25.8.2.
Read More: https://thecyberexpress.com/nodejs-cve-2026-21637/