CVE-2026-21710Allocation of Resources Without Limits or Throttling in Node

CWE-770Allocation of Resources Without Limits or ThrottlingCWE-843Type Confusion9 documents8 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 94.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
NodejsNodejs Node
Timeline
PublishedMar 30

Description

A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.h

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5nodejs/node4.04.*+19
Alpinenodejs/nodejs< 22.22.2-r0+2
Debiannodejs/nodejs< 20.19.2+dfsg-1+deb13u2+1

🔴Vulnerability Details

4
CVEList
CVE-2026-21710: A flaw in Node2026-03-30
OSV
CVE-2026-21710: A flaw in Node2026-03-30
OSV
CVE-2026-21710: A flaw in Node2026-03-30
GHSA
GHSA-xv6w-gxj8-v943: A flaw in Node2026-03-30

📋Vendor Advisories

2
Red Hat
Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header2026-03-30
Debian
CVE-2026-21710: nodejs - A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a re...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-21710 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-21710 Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header2026-03-30
CVE-2026-21710 — Nodejs Node vulnerability | cvebase