The Node.js project has issued security updates for versions 20.x, 22.x, 24.x, and 25.x, addressing vulnerabilities including CVE-2026-21637 and CVE-2026-21710. CVE-2026-21637 involves improper exception handling in the TLS layer, leading to potential Remote Denial of Service risks. The update also addresses a high severity issue in HTTP request processing related to a proto header that can trigger uncaught TypeErrors. These vulnerabilities impact all affected Node.js versions, particularly in environments with malformed server name inputs.
"CVE-2026-21637 stems from improper exception handling in the TLS layer, specifically in the loadSNI() function, which lacked a try/catch mechanism, exposing SNICallback executions to unhandled synchronous exceptions."
"The vulnerability can crash a Node.js process, leading to a potential Remote Denial of Service (DoS), particularly in environments where SNICallback may fail on malformed server name inputs."
"CVE-2026-21710 affects HTTP request processing, where a specially crafted request containing a proto header can trigger an uncaught TypeError when accessing req.headersDistinct."
Read at The Cyber Express
Unable to calculate read time
Collection
[
|
...
]