CVE-2026-21713

EUVD-2026-17174

30.03.2026, 20:16

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.

Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.

This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 30%

Debian Releases

Debian Product

Codename

nodejs

bookworm	vulnerable
bookworm (security)	18.20.4+dfsg-1~deb12u2 fixed
bullseye	12.22.12~dfsg-1~deb11u4 fixed
bullseye (security)	12.22.12~dfsg-1~deb11u8 fixed
forky	24.17.0+dfsg+~cs24.13.2-1 fixed
sid	24.18.0+dfsg+~cs24.13.2-1 fixed
trixie	20.19.2+dfsg-1+deb13u2 fixed
trixie (security)	20.19.2+dfsg-1+deb13u2 fixed

openSUSE / SLES Releases

openSUSE Product

Release

nodejs20

suse enterprise server 15 SP5	20.20.2-150500.11.27.1 fixed
suse enterprise server 15 SP6	20.20.2-150600.3.18.1 fixed

nodejs20-devel

suse enterprise server 15 SP5	20.20.2-150500.11.27.1 fixed
suse enterprise server 15 SP6	20.20.2-150600.3.18.1 fixed

nodejs20-docs

suse enterprise server 15 SP5	20.20.2-150500.11.27.1 fixed
suse enterprise server 15 SP6	20.20.2-150600.3.18.1 fixed

nodejs22

suse enterprise sap 15 SP7	22.22.2-150700.3.9.1 fixed
suse enterprise server 15 SP6	22.22.2-150600.13.15.1 fixed
suse enterprise server 15 SP7	22.22.2-150700.3.9.1 fixed

nodejs22-devel

suse enterprise sap 15 SP7	22.22.2-150700.3.9.1 fixed
suse enterprise server 15 SP6	22.22.2-150600.13.15.1 fixed
suse enterprise server 15 SP7	22.22.2-150700.3.9.1 fixed

nodejs22-docs

suse enterprise sap 15 SP7	22.22.2-150700.3.9.1 fixed
suse enterprise server 15 SP6	22.22.2-150600.13.15.1 fixed
suse enterprise server 15 SP7	22.22.2-150700.3.9.1 fixed

nodejs24

suse enterprise sap 15 SP7	24.14.1-150700.15.8.1 fixed
suse enterprise server 15 SP7	24.14.1-150700.15.8.1 fixed

nodejs24-devel

suse enterprise sap 15 SP7	24.14.1-150700.15.8.1 fixed
suse enterprise server 15 SP7	24.14.1-150700.15.8.1 fixed

nodejs24-docs

suse enterprise sap 15 SP7	24.14.1-150700.15.8.1 fixed
suse enterprise server 15 SP7	24.14.1-150700.15.8.1 fixed

npm20

suse enterprise server 15 SP5	20.20.2-150500.11.27.1 fixed
suse enterprise server 15 SP6	20.20.2-150600.3.18.1 fixed

npm22

suse enterprise sap 15 SP7	22.22.2-150700.3.9.1 fixed
suse enterprise server 15 SP6	22.22.2-150600.13.15.1 fixed
suse enterprise server 15 SP7	22.22.2-150700.3.9.1 fixed

npm24

suse enterprise sap 15 SP7	24.14.1-150700.15.8.1 fixed
suse enterprise server 15 SP7	24.14.1-150700.15.8.1 fixed

Amazon Linux Releases

Amazon Package

Release

nodejs20

Amazon Linux 2023

1:20.20.2-1.amzn2023.0.1

fixed

nodejs20-debuginfo

Amazon Linux 2023

1:20.20.2-1.amzn2023.0.1

fixed

nodejs20-debugsource

Amazon Linux 2023

1:20.20.2-1.amzn2023.0.1

fixed

nodejs20-devel

Amazon Linux 2023

1:20.20.2-1.amzn2023.0.1

fixed

nodejs20-docs

Amazon Linux 2023

1:20.20.2-1.amzn2023.0.1

fixed

nodejs20-full-i18n

Amazon Linux 2023

1:20.20.2-1.amzn2023.0.1

fixed

nodejs20-libs

Amazon Linux 2023

1:20.20.2-1.amzn2023.0.1

fixed

nodejs20-libs-debuginfo

Amazon Linux 2023

1:20.20.2-1.amzn2023.0.1

fixed

nodejs20-npm

Amazon Linux 2023

1:10.8.2-1.20.20.2.1.amzn2023.0.1

fixed

nodejs22

Amazon Linux 2023

1:22.22.2-1.amzn2023.0.1

fixed

nodejs22-debuginfo

Amazon Linux 2023

1:22.22.2-1.amzn2023.0.1

fixed

nodejs22-debugsource

Amazon Linux 2023

1:22.22.2-1.amzn2023.0.1

fixed

nodejs22-devel

Amazon Linux 2023

1:22.22.2-1.amzn2023.0.1

fixed

nodejs22-docs

Amazon Linux 2023

1:22.22.2-1.amzn2023.0.1

fixed

nodejs22-full-i18n

Amazon Linux 2023

1:22.22.2-1.amzn2023.0.1

fixed

nodejs22-libs

Amazon Linux 2023

1:22.22.2-1.amzn2023.0.1

fixed

nodejs22-libs-debuginfo

Amazon Linux 2023

1:22.22.2-1.amzn2023.0.1

fixed

nodejs22-npm

Amazon Linux 2023

1:10.9.7-1.22.22.2.1.amzn2023.0.1

fixed

nodejs24

Amazon Linux 2023

1:24.14.1-1.amzn2023.0.1

fixed

nodejs24-debuginfo

Amazon Linux 2023

1:24.14.1-1.amzn2023.0.1

fixed

nodejs24-debugsource

Amazon Linux 2023

1:24.14.1-1.amzn2023.0.1

fixed

nodejs24-devel

Amazon Linux 2023

1:24.14.1-1.amzn2023.0.1

fixed

nodejs24-docs

Amazon Linux 2023

1:24.14.1-1.amzn2023.0.1

fixed

nodejs24-full-i18n

Amazon Linux 2023

1:24.14.1-1.amzn2023.0.1

fixed

nodejs24-libs

Amazon Linux 2023

1:24.14.1-1.amzn2023.0.1

fixed

nodejs24-libs-debuginfo

Amazon Linux 2023

1:24.14.1-1.amzn2023.0.1

fixed

nodejs24-npm

Amazon Linux 2023

1:11.11.0-1.24.14.1.1.amzn2023.0.1

fixed

v8-11.3-devel

Amazon Linux 2023

3:11.3.244.8-1.20.20.2.1.amzn2023.0.1

fixed

v8-12.4-devel

Amazon Linux 2023

3:12.4.254.21-1.22.22.2.1.amzn2023.0.1

fixed

v8-13.6-devel

Amazon Linux 2023

3:13.6.233.17-1.24.14.1.1.amzn2023.0.1

fixed

Azure Linux Releases

Azure Package

Release

nodejs

Azure Linux 3.0

0:20.14.0-15.azl3

fixed

nodejs24

Azure Linux 3.0

0:24.14.1-1.azl3

fixed

Common Weakness Enumeration

CWE-208 - Observable Timing Discrepancy
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases