nodejs · nodejs-github-bot · Mar 24, 2026
@@ -2,8 +2,8 @@
   "cve": [
     "CVE-2025-59464"
   ],
-  "vulnerable": "24.x",
-  "patched": "^24.12.0",
+  "vulnerable": "20.x || 22.x || 24.x",
+  "patched": "^20.20.0 || ^22.22.0 || ^24.13.0",
   "ref": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
   "description": "Memory leak that enables remote Denial of Service against applications processing TLS client certificates",
   "overview": "A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service.",

@@ -3,12 +3,12 @@
     "CVE-2026-21637"
   ],
   "vulnerable": "20.x || 22.x || 24.x || 25.x",
-  "patched": "^20.20.0 || ^22.22.0 || ^24.13.0 || ^25.3.0",
-  "ref": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases",
-  "description": "TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak",
-  "overview": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.",
+  "patched": "^20.20.2 || ^22.22.2 || ^24.14.1 || ^25.8.2",
+  "ref": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
+  "description": "Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS",
+  "overview": "A flaw in Node.js TLS error handling leaves `SNICallback` invocations unprotected against synchronous exceptions, while the equivalent ALPN and PSK callbacks were already addressed in CVE-2026-21637. This represents an incomplete fix of that prior vulnerability.\n\nWhen an `SNICallback` throws synchronously on unexpected input the exception bypasses TLS error handlers and propagates as an uncaught exception, crashing the Node.js process.\n\n* This vulnerability affects all Node.js versions that received the CVE-2026-21637 fix, including **20.x, 22.x, 24.x, and 25.x**, on any TLS server where `SNICallback` may throw on unexpected `servername` input.",
   "affectedEnvironments": [
     "all"
   ],
-  "severity": "medium"
+  "severity": "high"
 }
@@ -0,0 +1,14 @@
+{
+  "cve": [
+    "CVE-2026-21710"
+  ],
+  "vulnerable": "20.x || 22.x || 24.x || 25.x",
+  "patched": "^20.20.2 || ^22.22.2 || ^24.14.1 || ^25.8.2",
+  "ref": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
+  "description": "Denial of Service via `__proto__` header name in `req.headersDistinct` (Uncaught `TypeError` crashes Node.js process)",
+  "overview": "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\n\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\n\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x** ",
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "high"
+}
@@ -0,0 +1,14 @@
+{
+  "cve": [
+    "CVE-2026-21711"
+  ],
+  "vulnerable": "25.x",
+  "patched": "^25.8.2",
+  "ref": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
+  "description": "Node.js Permission Model bypass: UDS server bind/listen works without `--allow-net`",
+  "overview": "A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.\n\nAs a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.\n\nThis vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.",
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
+}
@@ -0,0 +1,14 @@
+{
+  "cve": [
+    "CVE-2026-21712"
+  ],
+  "vulnerable": "24.x || 25.x",
+  "patched": "^24.14.1 || ^25.8.2",
+  "ref": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
+  "description": "Assertion error in node_url.cc via malformed URL format leads to Node.js crash",
+  "overview": "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.\n\n* This vulnerability affects **24.x and 25.x**.",
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
+}
@@ -0,0 +1,14 @@
+{
+  "cve": [
+    "CVE-2026-21713"
+  ],
+  "vulnerable": "20.x || 22.x || 24.x || 25.x",
+  "patched": "^20.20.2 || ^22.22.2 || ^24.14.1 || ^25.8.2",
+  "ref": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
+  "description": "Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc leads to potential MAC forgery",
+  "overview": "A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.\n\nNode.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.\n\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.",
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
+}
@@ -0,0 +1,14 @@
+{
+  "cve": [
+    "CVE-2026-21714"
+  ],
+  "vulnerable": "20.x || 22.x || 24.x || 25.x",
+  "patched": "^20.20.2 || ^22.22.2 || ^24.14.1 || ^25.8.2",
+  "ref": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
+  "description": "Memory leak in Node.js HTTP/2 server via WINDOW_UPDATE on stream 0 leads to resource exhaustion",
+  "overview": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\n\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.",
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
+}
@@ -0,0 +1,14 @@
+{
+  "cve": [
+    "CVE-2026-21715"
+  ],
+  "vulnerable": "20.x || 22.x || 24.x || 25.x",
+  "patched": "^20.20.2 || ^22.22.2 || ^24.14.1 || ^25.8.2",
+  "ref": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
+  "description": "Permission Model Bypass in realpathSync.native Allows File Existence Disclosure",
+  "overview": "A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.\n\nAs a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.\n\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.",
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "low"
+}
@@ -0,0 +1,14 @@
+{
+  "cve": [
+    "CVE-2026-21716"
+  ],
+  "vulnerable": "20.x || 22.x || 24.x || 25.x",
+  "patched": "^20.20.2 || ^22.22.2 || ^24.14.1 || ^25.8.2",
+  "ref": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
+  "description": "CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown",
+  "overview": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\n\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\n\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.",
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "low"
+}
@@ -0,0 +1,14 @@
+{
+  "cve": [
+    "CVE-2026-21717"
+  ],
+  "vulnerable": "20.x || 22.x || 24.x || 25.x",
+  "patched": "^20.20.2 || ^22.22.2 || ^24.14.1 || ^25.8.2",
+  "ref": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases",
+  "description": "HashDoS in V8",
+  "overview": "A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.\n\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\n\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**.",
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
+}