CVE-2026-21713

EUVD-2026-17174

30.03.2026, 20:16

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.

Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.

This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Debian Releases

Debian Product

Codename

nodejs

bookworm	vulnerable
bookworm (security)	18.20.4+dfsg-1~deb12u2 fixed
bullseye	vulnerable
bullseye (security)	vulnerable
forky	24.15.0+dfsg+~cs24.12.2-1 fixed
sid	24.15.0+dfsg+~cs24.12.2-1 fixed
trixie	vulnerable
trixie (security)	20.19.2+dfsg-1+deb13u2 fixed

openSUSE / SLES Releases

openSUSE Product

Release

nodejs20

suse enterprise server 15 SP5	20.20.2-150500.11.27.1 fixed
suse enterprise server 15 SP6	20.20.2-150600.3.18.1 fixed

nodejs20-devel

suse enterprise server 15 SP5	20.20.2-150500.11.27.1 fixed
suse enterprise server 15 SP6	20.20.2-150600.3.18.1 fixed

nodejs20-docs

suse enterprise server 15 SP5	20.20.2-150500.11.27.1 fixed
suse enterprise server 15 SP6	20.20.2-150600.3.18.1 fixed

nodejs22

suse enterprise sap 15 SP7	22.22.2-150700.3.9.1 fixed
suse enterprise server 15 SP6	22.22.2-150600.13.15.1 fixed
suse enterprise server 15 SP7	22.22.2-150700.3.9.1 fixed

nodejs22-devel

suse enterprise sap 15 SP7	22.22.2-150700.3.9.1 fixed
suse enterprise server 15 SP6	22.22.2-150600.13.15.1 fixed
suse enterprise server 15 SP7	22.22.2-150700.3.9.1 fixed

nodejs22-docs

suse enterprise sap 15 SP7	22.22.2-150700.3.9.1 fixed
suse enterprise server 15 SP6	22.22.2-150600.13.15.1 fixed
suse enterprise server 15 SP7	22.22.2-150700.3.9.1 fixed

nodejs24

suse enterprise sap 15 SP7	24.14.1-150700.15.8.1 fixed
suse enterprise server 15 SP7	24.14.1-150700.15.8.1 fixed

nodejs24-devel

suse enterprise sap 15 SP7	24.14.1-150700.15.8.1 fixed
suse enterprise server 15 SP7	24.14.1-150700.15.8.1 fixed

nodejs24-docs

suse enterprise sap 15 SP7	24.14.1-150700.15.8.1 fixed
suse enterprise server 15 SP7	24.14.1-150700.15.8.1 fixed

npm20

suse enterprise server 15 SP5	20.20.2-150500.11.27.1 fixed
suse enterprise server 15 SP6	20.20.2-150600.3.18.1 fixed

npm22

suse enterprise sap 15 SP7	22.22.2-150700.3.9.1 fixed
suse enterprise server 15 SP6	22.22.2-150600.13.15.1 fixed
suse enterprise server 15 SP7	22.22.2-150700.3.9.1 fixed

npm24

suse enterprise sap 15 SP7	24.14.1-150700.15.8.1 fixed
suse enterprise server 15 SP7	24.14.1-150700.15.8.1 fixed

Common Weakness Enumeration

CWE-208 - Observable Timing Discrepancy
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases