cbcvebase.
CVE-2026-21710
published 2026-03-30

CVE-2026-21710: A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses…

high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
debiannodejs< nodejs 22.22.2+dfsg+~cs22.19.15-1 (forky)nodejs 22.22.2+dfsg+~cs22.19.15-1 (forky)
nodejsnode>= 10.0 < 10.*10.*
nodejsnode>= 11.0 < 11.*11.*
nodejsnode>= 12.0 < 12.*12.*
nodejsnode>= 13.0 < 13.*13.*
nodejsnode>= 14.0 < 14.*14.*
nodejsnode>= 15.0 < 15.*15.*
nodejsnode>= 16.0 < 16.*16.*
nodejsnode>= 17.0 < 17.*17.*
nodejsnode>= 18.0 < 18.*18.*
nodejsnode>= 19.0 < 19.*19.*
nodejsnode20.20.1 – 20.20.1
nodejsnode22.22.1 – 22.22.1
nodejsnode24.14.0 – 24.14.0
nodejsnode25.8.1 – 25.8.1
nodejsnode>= 4.0 < 4.*4.*
nodejsnode>= 5.0 < 5.*5.*
nodejsnode>= 6.0 < 6.*6.*
nodejsnode>= 7.0 < 7.*7.*
nodejsnode>= 8.0 < 8.*8.*
nodejsnode>= 9.0 < 9.*9.*
nodejsnodejs>= 0 < 22.22.2-r022.22.2-r0
nodejsnodejs>= 0 < 22.22.2-r022.22.2-r0
nodejsnodejs>= 0 < 24.14.1-r024.14.1-r0
nodejsnodejs>= 0 < 20.19.2+dfsg-1+deb13u220.19.2+dfsg-1+deb13u2

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH