CVE-2026-21710

EUVD-2026-17170

30.03.2026, 20:16

A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.

When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.

* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 9%

Debian Releases

Debian Product

Codename

nodejs

bookworm	vulnerable
bookworm (security)	18.20.4+dfsg-1~deb12u2 fixed
bullseye	vulnerable
bullseye (security)	vulnerable
forky	24.15.0+dfsg+~cs24.12.2-1 fixed
sid	24.15.0+dfsg+~cs24.12.2-1 fixed
trixie	vulnerable
trixie (security)	20.19.2+dfsg-1+deb13u2 fixed

openSUSE / SLES Releases

openSUSE Product

Release

nodejs20

suse enterprise server 15 SP5	20.20.2-150500.11.27.1 fixed
suse enterprise server 15 SP6	20.20.2-150600.3.18.1 fixed

nodejs20-devel

suse enterprise server 15 SP5	20.20.2-150500.11.27.1 fixed
suse enterprise server 15 SP6	20.20.2-150600.3.18.1 fixed

nodejs20-docs

suse enterprise server 15 SP5	20.20.2-150500.11.27.1 fixed
suse enterprise server 15 SP6	20.20.2-150600.3.18.1 fixed

nodejs22

suse enterprise sap 15 SP7	22.22.2-150700.3.9.1 fixed
suse enterprise server 15 SP6	22.22.2-150600.13.15.1 fixed
suse enterprise server 15 SP7	22.22.2-150700.3.9.1 fixed

nodejs22-devel

suse enterprise sap 15 SP7	22.22.2-150700.3.9.1 fixed
suse enterprise server 15 SP6	22.22.2-150600.13.15.1 fixed
suse enterprise server 15 SP7	22.22.2-150700.3.9.1 fixed

nodejs22-docs

suse enterprise sap 15 SP7	22.22.2-150700.3.9.1 fixed
suse enterprise server 15 SP6	22.22.2-150600.13.15.1 fixed
suse enterprise server 15 SP7	22.22.2-150700.3.9.1 fixed

nodejs24

suse enterprise sap 15 SP7	24.14.1-150700.15.8.1 fixed
suse enterprise server 15 SP7	24.14.1-150700.15.8.1 fixed

nodejs24-devel

suse enterprise sap 15 SP7	24.14.1-150700.15.8.1 fixed
suse enterprise server 15 SP7	24.14.1-150700.15.8.1 fixed

nodejs24-docs

suse enterprise sap 15 SP7	24.14.1-150700.15.8.1 fixed
suse enterprise server 15 SP7	24.14.1-150700.15.8.1 fixed

npm20

suse enterprise server 15 SP5	20.20.2-150500.11.27.1 fixed
suse enterprise server 15 SP6	20.20.2-150600.3.18.1 fixed

npm22

suse enterprise sap 15 SP7	22.22.2-150700.3.9.1 fixed
suse enterprise server 15 SP6	22.22.2-150600.13.15.1 fixed
suse enterprise server 15 SP7	22.22.2-150700.3.9.1 fixed

npm24

suse enterprise sap 15 SP7	24.14.1-150700.15.8.1 fixed
suse enterprise server 15 SP7	24.14.1-150700.15.8.1 fixed

Common Weakness Enumeration

CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases