CVE-2026-21713 — Observable Timing Discrepancy in Node

CWE-208 — Observable Timing Discrepancy9 documents8 sources

Severity

5.9MEDIUMNVD

EPSS

0.0%

top 94.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Nodejs Node

Timeline

PublishedMar 30

Description

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an inte…

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5nodejs/node4.0 — 4.*+19

▶Alpinenodejs/nodejs< 22.22.2-r0+2

▶Debiannodejs/nodejs< 20.19.2+dfsg-1+deb13u2+1

🔴Vulnerability Details

OSV

CVE-2026-21713: A flaw in Node↗2026-03-30

▶

OSV

CVE-2026-21713: A flaw in Node↗2026-03-30

▶

CVEList

CVE-2026-21713: A flaw in Node↗2026-03-30

▶

GHSA

GHSA-6r7g-3mm3-fhw7: A flaw in Node↗2026-03-30

▶

📋Vendor Advisories

Red Hat

Node.js: Node.js: Information disclosure via timing oracle in HMAC verification↗2026-03-30

▶

Debian

CVE-2026-21713: nodejs - A flaw in Node.js HMAC verification uses a non-constant-time comparison when val...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-21713 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-21713 Node.js: Node.js: Information disclosure via timing oracle in HMAC verification↗2026-03-30

▶