Nodejs Node vulnerabilities

CVE-2026-21710 [HIGH] CWE-770 CVE-2026-21710: A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received wi A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown sync

CVE-2026-21717 [MEDIUM] CVE-2026-21717: A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric va A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that ca

CVE-2026-21713 [MEDIUM] CVE-2026-21713: A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provide A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. N

CVE-2026-21714 [MEDIUM] CWE-401 CVE-2026-21714: A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25

CVE-2026-21712 [MEDIUM] CVE-2026-21712: A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is c A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.

CVE-2026-21711 [MEDIUM] CWE-284 CVE-2026-21711: A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operat A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other

CVE-2026-21715 [LOW] CWE-732 CVE-2026-21715: A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, reso

CVE-2026-21716 [LOW] CVE-2026-21716: An incomplete fix for CVE-2024-36137 leaves `FileHandle An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and

CVE-2026-21636 [CRITICAL] CWE-284 CVE-2026-21636: A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network r A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary

CVE-2025-55130 [CRITICAL] CWE-289 CVE-2025-55130: A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-w A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees

CVE-2025-59464 [HIGH] CWE-400 CVE-2025-59464: A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead t

CVE-2025-59466 [HIGH] CWE-248 CVE-2025-59466: We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors b We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createH

CVE-2026-21637 [HIGH] CWE-400 CVE-2026-21637: A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks

CVE-2025-59465 [HIGH] CWE-400 CVE-2025-59465: A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash b A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure socket

CVE-2025-55131 [HIGH] CWE-120 CVE-2025-55131: A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are int A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-proc

CVE-2025-55132 [MEDIUM] CWE-276 CVE-2025-55132: A flaw in Node.js's permission model allows a file's access and modification timestamps to be change A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to a

CVE-2025-27209 [HIGH] CWE-407 CVE-2025-27209: The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. T The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed. * This vulnerability affects

CVE-2025-27210 [MEDIUM] CVE-2025-27210: An incomplete fix has been identified for CVE-2025-23084 in Node An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API.

CVE-2025-23166 [HIGH] CWE-248 CVE-2025-23166: The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

CVE-2025-23167 [MEDIUM] CWE-444 CVE-2025-23167: A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` ins A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correc