Node.js Issues Security Updates: High-Severity DoS and Permission Bypasses Patched
Ddos 
The Node.js project has released a critical sweep of security updates across its 20.x, 22.x, 24.x, and 25.x release lines. The updates address a total of nine vulnerabilities, including two High-severity flaws that can cause instantaneous process crashes, alongside several medium and low-risk bypasses in the experimental Permission Model.
The most alarming fixes involve vulnerabilities that allow remote attackers to shut down Node.js servers with minimal effort.
- Incomplete TLS Fix (CVE-2026-21637): This release addresses a “High” severity flaw in TLS error handling. Specifically, the loadSNI() function in tls_wrap.js was found to lack a necessary try/catch block. If an SNICallback throws a synchronous exception on unexpected input, it bypasses standard error handlers and crashes the entire Node.js process.
- The “proto” Header Attack (CVE-2026-21710): A second high-severity flaw exists in how Node.js handles HTTP request headers. If an attacker sends a request with a header named __proto__ and the application accesses req.headersDistinct, a TypeError is triggered internally that cannot be caught by standard error listeners, leading to an immediate crash.
Several “Medium” and “Low” severity issues were identified in the Node.js Permission Model, an experimental feature used to restrict a script’s access to the network and filesystem.
- Network Bypass (CVE-2026-21711): Code running with restricted network permissions was found to be able to create and expose local IPC endpoints via Unix Domain Sockets (UDS) without the required –allow-net check.
- Filesystem Leaks (CVE-2026-21715): A flaw in fs.realpathSync.native() allowed code to check for file existence and resolve symlink targets even when restricted by –allow-fs-read.
- Promise-Based Permission Bypass (CVE-2026-21716): An incomplete fix for a prior vulnerability meant that while callback-based filesystem functions were secure, their Promises API equivalentsβFileHandle.chmod() and FileHandle.chown()βcould still be used to modify file permissions without authorization.
The security release also mitigates several other risks, including:
- HMAC Timing Side-Channel (CVE-2026-21713): A fix for non-constant-time comparisons during HMAC verification, which could have allowed attackers to infer secret values through high-resolution timing measurements.
- HTTP/2 Memory Leak (CVE-2026-21714): A resource exhaustion flaw where Http2Session objects were not cleaned up after receiving specific malicious WINDOW_UPDATE frames.
- V8 HashDoS (CVE-2026-21717): A flaw in the V8 engine’s string hashing that allowed attackers to cause massive hash collisions, significantly degrading server performance.
Developers and system administrators are urged to upgrade their environments immediately to the latest stable versions: v20.20.2, v22.22.2, v24.14.1, or v25.8.2.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
