cbcvebase.
CVE-2026-21713
published 2026-03-30

CVE-2026-21713: A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information…

medium5.9CVSS 3.0
AVNACHPRNUINSUCHINAN
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
debiannodejs< nodejs 22.22.2+dfsg+~cs22.19.15-1 (forky)nodejs 22.22.2+dfsg+~cs22.19.15-1 (forky)
nodejsnode>= 10.0 < 10.*10.*
nodejsnode>= 11.0 < 11.*11.*
nodejsnode>= 12.0 < 12.*12.*
nodejsnode>= 13.0 < 13.*13.*
nodejsnode>= 14.0 < 14.*14.*
nodejsnode>= 15.0 < 15.*15.*
nodejsnode>= 16.0 < 16.*16.*
nodejsnode>= 17.0 < 17.*17.*
nodejsnode>= 18.0 < 18.*18.*
nodejsnode>= 19.0 < 19.*19.*
nodejsnode20.20.1 – 20.20.1
nodejsnode22.22.1 – 22.22.1
nodejsnode24.14.0 – 24.14.0
nodejsnode25.8.1 – 25.8.1
nodejsnode>= 4.0 < 4.*4.*
nodejsnode>= 5.0 < 5.*5.*
nodejsnode>= 6.0 < 6.*6.*
nodejsnode>= 7.0 < 7.*7.*
nodejsnode>= 8.0 < 8.*8.*
nodejsnode>= 9.0 < 9.*9.*
nodejsnodejs>= 0 < 22.22.2-r022.22.2-r0
nodejsnodejs>= 0 < 22.22.2-r022.22.2-r0
nodejsnodejs>= 0 < 24.14.1-r024.14.1-r0
nodejsnodejs>= 0 < 20.19.2+dfsg-1+deb13u220.19.2+dfsg-1+deb13u2

CVSS provenance

nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
osv5.9MEDIUM