Node.js Fixes Critical Flaws in New Security Release, Warns of Remote DoS Risk in TLS SNICallback Handling
Node.js has released a fresh round of security updates across its 20.x, 22.x, 24.x, and 25.x release lines to address multiple vulnerabilities ranging from high to low severity, including a remotely triggerable denial-of-service condition tied to incomplete handling of a previously patched TLS issue.
The most notable issue is an incomplete fix for CVE-2026-21637. According to the Node.js project, all supported release lines that previously received the original fix remained vulnerable in scenarios where a TLS server’s SNICallback throws synchronously on unexpected servername input. In that case, the exception can bypass TLS error handlers and propagate as an uncaught exception, crashing the Node.js process and opening the door to a potential remote DoS attack.
The Node.js security team said this affects any TLS server on the impacted branches where SNICallback may throw on malformed or unexpected input. That makes the flaw especially relevant for internet-facing applications, reverse proxies, API endpoints, and services that terminate TLS directly inside Node.js.
The patched releases are Node.js 20.20.2, 22.22.2, 24.14.1, and 25.8.2. In each of them, the fix explicitly wraps SNICallback invocation in try/catch handling to prevent synchronous exceptions from bringing down the process.
The update also fixes another high-severity issue, CVE-2026-21710, in Node.js HTTP servers. The project said headersDistinct and trailersDistinct could be abused because dest["__proto__"] resolved to Object.prototype instead of undefined, causing a synchronous exception that could not be intercepted by normal error event listeners. In practice, this meant a crafted request could trigger an application crash unless every access was individually wrapped in try/catch. The fix changes those structures to use a null prototype.
Beyond the two headline bugs, the March 24, 2026 security release includes several medium-severity fixes. These include a Web Cryptography issue, tracked as CVE-2026-21713, where HMAC and KMAC comparisons were not using timing-safe comparison logic, creating a theoretical side-channel risk. Node.js also patched CVE-2026-21714, which improves handling of NGHTTP2_ERR_FLOW_CONTROL conditions, and CVE-2026-21717, which addresses an array index hash collision issue that could be triggered through attacker-controlled input reaching JSON.parse().
The release further hardens Node.js’s permission model. The project patched CVE-2026-21715, which allowed code running under restricted --allow-fs-read rules to use fs.realpathSync.native() to check file existence and resolve paths outside permitted directories. It also fixed CVE-2026-21716, which allowed promise-based FileHandle methods to alter file permissions and ownership on already-open descriptors despite --allow-fs-write restrictions. On the 25.x line, additional medium-severity permission-model fixes include CVE-2026-21711 in pipe_wrap.cc and CVE-2026-21712, a URL parsing crash condition.
The Node.js project also noted dependency updates as part of the broader security response. Earlier security releases on these same branches included undici updates, and the current advisories continue the pattern of bundling runtime fixes with underlying dependency refreshes where needed. That matters for production users because Node.js security exposure often spans both core runtime behavior and bundled libraries that handle HTTP and network operations.
From an operational standpoint, the key risk here is reliability. Both the SNICallback flaw and the HTTP header bug can lead to process crashes rather than silent compromise. But for exposed production services, a remotely triggerable crash condition can still have serious consequences, especially in environments where applications are stateful, poorly supervised, or sensitive to repeated restart loops. In some cases, it can also become a convenient prelude to broader service disruption or a smokescreen for follow-on activity. This is an inference based on the nature of the bugs and not a claim by Node.js that active exploitation is occurring.
Organizations running Node.js in production should prioritize upgrades to the latest patched builds, especially if they terminate TLS directly, expose HTTP services to untrusted traffic, or rely on the permission model for sandboxing. Teams should also review any custom SNICallback logic, ensure process supervision is in place, and test security updates promptly across staging and production environments.
Reference Links and Sources
