[AutoPR- Security] Patch nodejs for CVE-2026-21716, CVE-2026-21715, CVE-2026-21714, CVE-2026-21713, CVE-2026-21710 [HIGH] (#16411)

azurelinux-security · jslobodzian · web-flow · commit 309e090038d7 · 2026-04-07T12:44:19.000-04:00
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/nodejs/CVE-2026-21710.patch b/SPECS/nodejs/CVE-2026-21710.patch
@@ -0,0 +1,152 @@
+From 286a9c4e5b1b7bb7373195992a0f570c3eab8aaa Mon Sep 17 00:00:00 2001
+From: Matteo Collina <hello@matteocollina.com>
+Date: Thu, 19 Feb 2026 15:49:43 +0100
+Subject: [PATCH] http: use null prototype for headersDistinct/trailersDistinct
+
+Use { __proto__: null } instead of {} when initializing the
+headersDistinct and trailersDistinct destination objects.
+
+A plain {} inherits from Object.prototype, so when a __proto__
+header is received, dest["__proto__"] resolves to Object.prototype
+(truthy), causing _addHeaderLineDistinct to call .push() on it,
+which throws an uncaught TypeError and crashes the process.
+
+Ref: https://hackerone.com/reports/3560402
+PR-URL: https://github.com/nodejs-private/node-private/pull/821
+Refs: https://hackerone.com/reports/3560402
+Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
+Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
+CVE-ID: CVE-2026-21710
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/nodejs/node/commit/00ad47a28eb2e3dc0ff5610d58c53341acf3cf8d.patch
+---
+ lib/_http_incoming.js                         |  4 +--
+ .../test-http-headers-distinct-proto.js       | 36 +++++++++++++++++++
+ test/parallel/test-http-multiple-headers.js   | 16 ++++-----
+ 3 files changed, 46 insertions(+), 10 deletions(-)
+ create mode 100644 test/parallel/test-http-headers-distinct-proto.js
+
+diff --git a/lib/_http_incoming.js b/lib/_http_incoming.js
+index e45ae819..77433e55 100644
+--- a/lib/_http_incoming.js
++++ b/lib/_http_incoming.js
+@@ -131,7 +131,7 @@ ObjectDefineProperty(IncomingMessage.prototype, 'headersDistinct', {
+   __proto__: null,
+   get: function() {
+     if (!this[kHeadersDistinct]) {
+-      this[kHeadersDistinct] = {};
++      this[kHeadersDistinct] = { __proto__: null };
+ 
+       const src = this.rawHeaders;
+       const dst = this[kHeadersDistinct];
+@@ -171,7 +171,7 @@ ObjectDefineProperty(IncomingMessage.prototype, 'trailersDistinct', {
+   __proto__: null,
+   get: function() {
+     if (!this[kTrailersDistinct]) {
+-      this[kTrailersDistinct] = {};
++      this[kTrailersDistinct] = { __proto__: null };
+ 
+       const src = this.rawTrailers;
+       const dst = this[kTrailersDistinct];
+diff --git a/test/parallel/test-http-headers-distinct-proto.js b/test/parallel/test-http-headers-distinct-proto.js
+new file mode 100644
+index 00000000..bd4cb82b
+--- /dev/null
++++ b/test/parallel/test-http-headers-distinct-proto.js
+@@ -0,0 +1,36 @@
++'use strict';
++
++const common = require('../common');
++const assert = require('assert');
++const http = require('http');
++const net = require('net');
++
++// Regression test: sending a __proto__ header must not crash the server
++// when accessing req.headersDistinct or req.trailersDistinct.
++
++const server = http.createServer(common.mustCall((req, res) => {
++  const headers = req.headersDistinct;
++  assert.strictEqual(Object.getPrototypeOf(headers), null);
++  assert.deepStrictEqual(Object.getOwnPropertyDescriptor(headers, '__proto__').value, ['test']);
++  res.end();
++}));
++
++server.listen(0, common.mustCall(() => {
++  const port = server.address().port;
++
++  const client = net.connect(port, common.mustCall(() => {
++    client.write(
++      'GET / HTTP/1.1\r\n' +
++      'Host: localhost\r\n' +
++      '__proto__: test\r\n' +
++      'Connection: close\r\n' +
++      '\r\n',
++    );
++  }));
++
++  client.on('end', common.mustCall(() => {
++    server.close();
++  }));
++
++  client.resume();
++}));
+diff --git a/test/parallel/test-http-multiple-headers.js b/test/parallel/test-http-multiple-headers.js
+index 8f52f817..d0fea85c 100644
+--- a/test/parallel/test-http-multiple-headers.js
++++ b/test/parallel/test-http-multiple-headers.js
+@@ -27,13 +27,13 @@ const server = createServer(
+       host,
+       'transfer-encoding': 'chunked'
+     });
+-    assert.deepStrictEqual(req.headersDistinct, {
++    assert.deepStrictEqual(req.headersDistinct, Object.assign({ __proto__: null }, {
+       'connection': ['close'],
+       'x-req-a': ['eee', 'fff', 'ggg', 'hhh'],
+       'x-req-b': ['iii; jjj; kkk; lll'],
+       'host': [host],
+-      'transfer-encoding': ['chunked']
+-    });
++      'transfer-encoding': ['chunked'],
++    }));
+ 
+     req.on('end', function() {
+       assert.deepStrictEqual(req.rawTrailers, [
+@@ -46,7 +46,7 @@ const server = createServer(
+       );
+       assert.deepStrictEqual(
+         req.trailersDistinct,
+-        { 'x-req-x': ['xxx', 'yyy'], 'x-req-y': ['zzz; www'] }
++        Object.assign({ __proto__: null }, { 'x-req-x': ['xxx', 'yyy'], 'x-req-y': ['zzz; www'] })
+       );
+ 
+       res.setHeader('X-Res-a', 'AAA');
+@@ -129,14 +129,14 @@ server.listen(0, common.mustCall(() => {
+       'x-res-d': 'JJJ; KKK; LLL',
+       'transfer-encoding': 'chunked'
+     });
+-    assert.deepStrictEqual(res.headersDistinct, {
++    assert.deepStrictEqual(res.headersDistinct, Object.assign({ __proto__: null }, {
+       'x-res-a': [ 'AAA', 'BBB', 'CCC' ],
+       'x-res-b': [ 'DDD; EEE; FFF; GGG' ],
+       'connection': [ 'close' ],
+       'x-res-c': [ 'HHH', 'III' ],
+       'x-res-d': [ 'JJJ; KKK; LLL' ],
+-      'transfer-encoding': [ 'chunked' ]
+-    });
++      'transfer-encoding': [ 'chunked' ],
++    }));
+ 
+     res.on('end', function() {
+       assert.deepStrictEqual(res.rawTrailers, [
+@@ -150,7 +150,7 @@ server.listen(0, common.mustCall(() => {
+       );
+       assert.deepStrictEqual(
+         res.trailersDistinct,
+-        { 'x-res-x': ['XXX', 'YYY'], 'x-res-y': ['ZZZ; WWW'] }
++        Object.assign({ __proto__: null }, { 'x-res-x': ['XXX', 'YYY'], 'x-res-y': ['ZZZ; WWW'] })
+       );
+       server.close();
+     });
+-- 
+2.45.4
+
diff --git a/SPECS/nodejs/CVE-2026-21713.patch b/SPECS/nodejs/CVE-2026-21713.patch
@@ -0,0 +1,36 @@
+From a3f686cc211731ef93e35798357debcc8a6dc752 Mon Sep 17 00:00:00 2001
+From: Filip Skokan <panva.ip@gmail.com>
+Date: Fri, 20 Feb 2026 12:32:14 +0100
+Subject: [PATCH] crypto: use timing-safe comparison in Web Cryptography HMAC
+
+Use `CRYPTO_memcmp` instead of `memcmp` in `HMAC`
+Web Cryptography algorithm implementations.
+
+Ref: https://hackerone.com/reports/3533945
+PR-URL: https://github.com/nodejs-private/node-private/pull/831
+Refs: https://hackerone.com/reports/3533945
+Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
+CVE-ID: CVE-2026-21713
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/nodejs/node/commit/cfb51fa9ce1da2a8c810ec35bcc7c000f8c94faf.patch
+---
+ src/crypto/crypto_hmac.cc | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/crypto/crypto_hmac.cc b/src/crypto/crypto_hmac.cc
+index 5d81a60a..c09aa70c 100644
+--- a/src/crypto/crypto_hmac.cc
++++ b/src/crypto/crypto_hmac.cc
+@@ -268,7 +268,8 @@ Maybe<bool> HmacTraits::EncodeOutput(
+       *result = Boolean::New(
+           env->isolate(),
+           out->size() > 0 && out->size() == params.signature.size() &&
+-              memcmp(out->data(), params.signature.data(), out->size()) == 0);
++              CRYPTO_memcmp(
++                  out->data(), params.signature.data(), out->size()) == 0);
+       break;
+     default:
+       UNREACHABLE();
+-- 
+2.45.4
+
diff --git a/SPECS/nodejs/CVE-2026-21714.patch b/SPECS/nodejs/CVE-2026-21714.patch
@@ -0,0 +1,128 @@
+From 2b5f0f547445e892ef458e2819674f0094fc209e Mon Sep 17 00:00:00 2001
+From: RafaelGSS <rafael.nunu@hotmail.com>
+Date: Wed, 11 Mar 2026 11:22:23 -0300
+Subject: [PATCH] src: handle NGHTTP2_ERR_FLOW_CONTROL error code
+
+Refs: https://hackerone.com/reports/3531737
+PR-URL: https://github.com/nodejs-private/node-private/pull/832
+CVE-ID: CVE-2026-21714
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/nodejs/node/commit/a0c73425da4c95fbcf6c13b7fe8921301290b8e6.patch
+---
+ src/node_http2.cc                             |  6 ++
+ .../test-http2-window-update-overflow.js      | 84 +++++++++++++++++++
+ 2 files changed, 90 insertions(+)
+ create mode 100644 test/parallel/test-http2-window-update-overflow.js
+
+diff --git a/src/node_http2.cc b/src/node_http2.cc
+index 28dfe532..ddf17380 100644
+--- a/src/node_http2.cc
++++ b/src/node_http2.cc
+@@ -1114,8 +1114,14 @@ int Http2Session::OnInvalidFrame(nghttp2_session* handle,
+   // The GOAWAY frame includes an error code that indicates the type of error"
+   // The GOAWAY frame is already sent by nghttp2. We emit the error
+   // to liberate the Http2Session to destroy.
++  //
++  // ERR_FLOW_CONTROL: A WINDOW_UPDATE on stream 0 pushed the connection-level
++  // flow control window past 2^31-1. nghttp2 sends GOAWAY internally but
++  // without propagating this error the Http2Session would never be destroyed,
++  // causing a memory leak.
+   if (nghttp2_is_fatal(lib_error_code) ||
+       lib_error_code == NGHTTP2_ERR_STREAM_CLOSED ||
++      lib_error_code == NGHTTP2_ERR_FLOW_CONTROL ||
+       lib_error_code == NGHTTP2_ERR_PROTO) {
+     Environment* env = session->env();
+     Isolate* isolate = env->isolate();
+diff --git a/test/parallel/test-http2-window-update-overflow.js b/test/parallel/test-http2-window-update-overflow.js
+new file mode 100644
+index 00000000..41488af9
+--- /dev/null
++++ b/test/parallel/test-http2-window-update-overflow.js
+@@ -0,0 +1,84 @@
++'use strict';
++
++const common = require('../common');
++
++if (!common.hasCrypto)
++  common.skip('missing crypto');
++
++const http2 = require('http2');
++const net = require('net');
++
++// Regression test: a connection-level WINDOW_UPDATE that causes the flow
++// control window to exceed 2^31-1 must destroy the Http2Session (not leak it).
++//
++// nghttp2 responds with GOAWAY(FLOW_CONTROL_ERROR) internally but previously
++// Node's OnInvalidFrame callback only propagated errors for
++// NGHTTP2_ERR_STREAM_CLOSED and NGHTTP2_ERR_PROTO. The missing
++// NGHTTP2_ERR_FLOW_CONTROL case left the session unreachable after the GOAWAY,
++// causing a memory leak.
++
++const server = http2.createServer();
++
++server.on('session', common.mustCall((session) => {
++  session.on('error', common.mustCall());
++  session.on('close', common.mustCall(() => server.close()));
++}));
++
++server.listen(0, common.mustCall(() => {
++  const conn = net.connect({
++    port: server.address().port,
++    allowHalfOpen: true,
++  });
++
++  // HTTP/2 client connection preface.
++  conn.write('PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n');
++
++  // Empty SETTINGS frame (9-byte header, 0-byte payload).
++  const settingsFrame = Buffer.alloc(9);
++  settingsFrame[3] = 0x04; // type: SETTINGS
++  conn.write(settingsFrame);
++
++  let inbuf = Buffer.alloc(0);
++  let state = 'settingsHeader';
++  let settingsFrameLength;
++
++  conn.on('data', (chunk) => {
++    inbuf = Buffer.concat([inbuf, chunk]);
++
++    switch (state) {
++      case 'settingsHeader':
++        if (inbuf.length < 9) return;
++        settingsFrameLength = inbuf.readUIntBE(0, 3);
++        inbuf = inbuf.slice(9);
++        state = 'readingSettings';
++        // Fallthrough
++      case 'readingSettings': {
++        if (inbuf.length < settingsFrameLength) return;
++        inbuf = inbuf.slice(settingsFrameLength);
++        state = 'done';
++
++        // ACK the server SETTINGS.
++        const ack = Buffer.alloc(9);
++        ack[3] = 0x04; // type: SETTINGS
++        ack[4] = 0x01; // flag: ACK
++        conn.write(ack);
++
++        // WINDOW_UPDATE on stream 0 (connection level) with increment 2^31-1.
++        // Default connection window is 65535, so the new total would be
++        // 65535 + 2147483647 = 2147549182 > 2^31-1, triggering
++        // NGHTTP2_ERR_FLOW_CONTROL inside nghttp2.
++        const windowUpdate = Buffer.alloc(13);
++        windowUpdate.writeUIntBE(4, 0, 3);          // length = 4
++        windowUpdate[3] = 0x08;                      // type: WINDOW_UPDATE
++        windowUpdate[4] = 0x00;                      // flags: none
++        windowUpdate.writeUIntBE(0, 5, 4);           // stream id: 0
++        windowUpdate.writeUIntBE(0x7FFFFFFF, 9, 4);  // increment: 2^31-1
++        conn.write(windowUpdate);
++      }
++    }
++  });
++
++  // The server must close the connection after sending GOAWAY.
++  conn.on('end', common.mustCall(() => conn.end()));
++  conn.on('close', common.mustCall());
++}));
+-- 
+2.45.4
+
diff --git a/SPECS/nodejs/CVE-2026-21715.patch b/SPECS/nodejs/CVE-2026-21715.patch
@@ -0,0 +1,66 @@
+From eda20a5f65a85abd2dada7303c58e2775abe1db7 Mon Sep 17 00:00:00 2001
+From: RafaelGSS <rafael.nunu@hotmail.com>
+Date: Mon, 5 Jan 2026 18:18:39 -0300
+Subject: [PATCH] permission: add permission check to realpath.native
+
+Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
+PR-URL: https://github.com/nodejs-private/node-private/pull/838
+CVE-ID: CVE-2026-21715
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/nodejs/node/commit/00830712bc623ba04b08856462a56b79e29f5cc3.patch
+---
+ src/node_file.cc                    |  8 ++++++++
+ test/fixtures/permission/fs-read.js | 13 +++++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/src/node_file.cc b/src/node_file.cc
+index ba69879b..32e85203 100644
+--- a/src/node_file.cc
++++ b/src/node_file.cc
+@@ -1909,11 +1909,19 @@ static void RealPath(const FunctionCallbackInfo<Value>& args) {
+ 
+   if (argc > 2) {  // realpath(path, encoding, req)
+     FSReqBase* req_wrap_async = GetReqWrap(args, 2);
++    CHECK_NOT_NULL(req_wrap_async);
++    ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS(
++        env,
++        req_wrap_async,
++        permission::PermissionScope::kFileSystemRead,
++        path.ToStringView());
+     FS_ASYNC_TRACE_BEGIN1(
+         UV_FS_REALPATH, req_wrap_async, "path", TRACE_STR_COPY(*path))
+     AsyncCall(env, req_wrap_async, args, "realpath", encoding, AfterStringPtr,
+               uv_fs_realpath, *path);
+   } else {  // realpath(path, encoding, undefined, ctx)
++    THROW_IF_INSUFFICIENT_PERMISSIONS(
++        env, permission::PermissionScope::kFileSystemRead, path.ToStringView());
+     FSReqWrapSync req_wrap_sync("realpath", *path);
+     FS_SYNC_TRACE_BEGIN(realpath);
+     int err =
+diff --git a/test/fixtures/permission/fs-read.js b/test/fixtures/permission/fs-read.js
+index 43e1718a..5051d9c9 100644
+--- a/test/fixtures/permission/fs-read.js
++++ b/test/fixtures/permission/fs-read.js
+@@ -287,6 +287,19 @@ const regularFile = __filename;
+   });
+ }
+ 
++// fs.realpath.native
++{
++  fs.realpath.native(blockedFile, common.expectsError({
++    code: 'ERR_ACCESS_DENIED',
++    permission: 'FileSystemRead',
++    resource: path.toNamespacedPath(blockedFile),
++  }));
++
++  // doesNotThrow
++  fs.realpath.native(regularFile, (err) => {
++    assert.ifError(err);
++  });
++}
+ // fs.watchFile
+ {
+   assert.throws(() => {
+-- 
+2.45.4
+
diff --git a/SPECS/nodejs/CVE-2026-21716.patch b/SPECS/nodejs/CVE-2026-21716.patch
diff --git a/SPECS/nodejs/nodejs.spec b/SPECS/nodejs/nodejs.spec
