CVE-2026-21710

EUVD-2026-17170

30.03.2026, 20:16

A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.

When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.

* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 95%

Debian Releases

Debian Product

Codename

nodejs

bookworm	vulnerable
bookworm (security)	18.20.4+dfsg-1~deb12u2 fixed
bullseye	12.22.12~dfsg-1~deb11u4 fixed
bullseye (security)	12.22.12~dfsg-1~deb11u8 fixed
forky	24.17.0+dfsg+~cs24.13.2-1 fixed
sid	24.18.0+dfsg+~cs24.13.2-1 fixed
trixie	20.19.2+dfsg-1+deb13u2 fixed
trixie (security)	20.19.2+dfsg-1+deb13u2 fixed

openSUSE / SLES Releases

openSUSE Product

Release

nodejs20

suse enterprise server 15 SP5	20.20.2-150500.11.27.1 fixed
suse enterprise server 15 SP6	20.20.2-150600.3.18.1 fixed

nodejs20-devel

suse enterprise server 15 SP5	20.20.2-150500.11.27.1 fixed
suse enterprise server 15 SP6	20.20.2-150600.3.18.1 fixed

nodejs20-docs

suse enterprise server 15 SP5	20.20.2-150500.11.27.1 fixed
suse enterprise server 15 SP6	20.20.2-150600.3.18.1 fixed

nodejs22

suse enterprise sap 15 SP7	22.22.2-150700.3.9.1 fixed
suse enterprise server 15 SP6	22.22.2-150600.13.15.1 fixed
suse enterprise server 15 SP7	22.22.2-150700.3.9.1 fixed

nodejs22-devel

suse enterprise sap 15 SP7	22.22.2-150700.3.9.1 fixed
suse enterprise server 15 SP6	22.22.2-150600.13.15.1 fixed
suse enterprise server 15 SP7	22.22.2-150700.3.9.1 fixed

nodejs22-docs

suse enterprise sap 15 SP7	22.22.2-150700.3.9.1 fixed
suse enterprise server 15 SP6	22.22.2-150600.13.15.1 fixed
suse enterprise server 15 SP7	22.22.2-150700.3.9.1 fixed

nodejs24

suse enterprise sap 15 SP7	24.14.1-150700.15.8.1 fixed
suse enterprise server 15 SP7	24.14.1-150700.15.8.1 fixed

nodejs24-devel

suse enterprise sap 15 SP7	24.14.1-150700.15.8.1 fixed
suse enterprise server 15 SP7	24.14.1-150700.15.8.1 fixed

nodejs24-docs

suse enterprise sap 15 SP7	24.14.1-150700.15.8.1 fixed
suse enterprise server 15 SP7	24.14.1-150700.15.8.1 fixed

npm20

suse enterprise server 15 SP5	20.20.2-150500.11.27.1 fixed
suse enterprise server 15 SP6	20.20.2-150600.3.18.1 fixed

npm22

suse enterprise sap 15 SP7	22.22.2-150700.3.9.1 fixed
suse enterprise server 15 SP6	22.22.2-150600.13.15.1 fixed
suse enterprise server 15 SP7	22.22.2-150700.3.9.1 fixed

npm24

suse enterprise sap 15 SP7	24.14.1-150700.15.8.1 fixed
suse enterprise server 15 SP7	24.14.1-150700.15.8.1 fixed

Amazon Linux Releases

Amazon Package

Release

nodejs20

Amazon Linux 2023

1:20.20.2-1.amzn2023.0.1

fixed

nodejs20-debuginfo

Amazon Linux 2023

1:20.20.2-1.amzn2023.0.1

fixed

nodejs20-debugsource

Amazon Linux 2023

1:20.20.2-1.amzn2023.0.1

fixed

nodejs20-devel

Amazon Linux 2023

1:20.20.2-1.amzn2023.0.1

fixed

nodejs20-docs

Amazon Linux 2023

1:20.20.2-1.amzn2023.0.1

fixed

nodejs20-full-i18n

Amazon Linux 2023

1:20.20.2-1.amzn2023.0.1

fixed

nodejs20-libs

Amazon Linux 2023

1:20.20.2-1.amzn2023.0.1

fixed

nodejs20-libs-debuginfo

Amazon Linux 2023

1:20.20.2-1.amzn2023.0.1

fixed

nodejs20-npm

Amazon Linux 2023

1:10.8.2-1.20.20.2.1.amzn2023.0.1

fixed

nodejs22

Amazon Linux 2023

1:22.22.2-1.amzn2023.0.1

fixed

nodejs22-debuginfo

Amazon Linux 2023

1:22.22.2-1.amzn2023.0.1

fixed

nodejs22-debugsource

Amazon Linux 2023

1:22.22.2-1.amzn2023.0.1

fixed

nodejs22-devel

Amazon Linux 2023

1:22.22.2-1.amzn2023.0.1

fixed

nodejs22-docs

Amazon Linux 2023

1:22.22.2-1.amzn2023.0.1

fixed

nodejs22-full-i18n

Amazon Linux 2023

1:22.22.2-1.amzn2023.0.1

fixed

nodejs22-libs

Amazon Linux 2023

1:22.22.2-1.amzn2023.0.1

fixed

nodejs22-libs-debuginfo

Amazon Linux 2023

1:22.22.2-1.amzn2023.0.1

fixed

nodejs22-npm

Amazon Linux 2023

1:10.9.7-1.22.22.2.1.amzn2023.0.1

fixed

nodejs24

Amazon Linux 2023

1:24.14.1-1.amzn2023.0.1

fixed

nodejs24-debuginfo

Amazon Linux 2023

1:24.14.1-1.amzn2023.0.1

fixed

nodejs24-debugsource

Amazon Linux 2023

1:24.14.1-1.amzn2023.0.1

fixed

nodejs24-devel

Amazon Linux 2023

1:24.14.1-1.amzn2023.0.1

fixed

nodejs24-docs

Amazon Linux 2023

1:24.14.1-1.amzn2023.0.1

fixed

nodejs24-full-i18n

Amazon Linux 2023

1:24.14.1-1.amzn2023.0.1

fixed

nodejs24-libs

Amazon Linux 2023

1:24.14.1-1.amzn2023.0.1

fixed

nodejs24-libs-debuginfo

Amazon Linux 2023

1:24.14.1-1.amzn2023.0.1

fixed

nodejs24-npm

Amazon Linux 2023

1:11.11.0-1.24.14.1.1.amzn2023.0.1

fixed

v8-11.3-devel

Amazon Linux 2023

3:11.3.244.8-1.20.20.2.1.amzn2023.0.1

fixed

v8-12.4-devel

Amazon Linux 2023

3:12.4.254.21-1.22.22.2.1.amzn2023.0.1

fixed

v8-13.6-devel

Amazon Linux 2023

3:13.6.233.17-1.24.14.1.1.amzn2023.0.1

fixed

Azure Linux Releases

Azure Package

Release

nodejs

Azure Linux 3.0

0:20.14.0-15.azl3

fixed

nodejs24

Azure Linux 3.0

0:24.14.1-1.azl3

fixed

Common Weakness Enumeration

CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases