|
1 | 1 | --- |
2 | | -date: 2026-03-17T03:00:00.000Z |
| 2 | +date: 2026-03-24T03:00:00.000Z |
3 | 3 | category: vulnerability |
4 | 4 | title: Tuesday, March 24, 2026 Security Releases |
5 | 5 | slug: march-2026-security-releases |
6 | 6 | layout: blog-post |
7 | 7 | author: The Node.js Project |
8 | 8 | --- |
9 | 9 |
|
| 10 | +## Security releases available |
| 11 | + |
| 12 | +Updates are now available for the 25.x, 24.x, 22.x, 20.x Node.js release lines for the |
| 13 | +following issues. |
| 14 | + |
| 15 | +This security release includes the following dependency updates to address public vulnerabilities: |
| 16 | + |
| 17 | +- undici (6.24.1, 7.24.4) on 22.x, 24.x, 25.x |
| 18 | + |
| 19 | +## Incomplete fix for CVE-2026-21637: `loadSNI()` in `_tls_wrap.js` lacks `try`/`catch` leading to Remote DoS (CVE-2026-21637) - (High) |
| 20 | + |
| 21 | +A flaw in Node.js TLS error handling leaves `SNICallback` invocations unprotected against synchronous exceptions, while the equivalent ALPN and PSK callbacks were already addressed in CVE-2026-21637. This represents an incomplete fix of that prior vulnerability. |
| 22 | + |
| 23 | +When an `SNICallback` throws synchronously on unexpected input the exception bypasses TLS error handlers and propagates as an uncaught exception, crashing the Node.js process. |
| 24 | + |
| 25 | +- This vulnerability affects all Node.js versions that received the CVE-2026-21637 fix, including **20.x, 22.x, 24.x, and 25.x**, on any TLS server where `SNICallback` may throw on unexpected `servername` input. |
| 26 | + |
| 27 | +Thank you, to mbarbs for reporting this vulnerability and thank you mcollina for fixing it. |
| 28 | + |
| 29 | +## Denial of Service via `__proto__` header name in `req.headersDistinct` (Uncaught `TypeError` crashes Node.js process) (CVE-2026-21710) - (High) |
| 30 | + |
| 31 | +A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. |
| 32 | + |
| 33 | +When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. |
| 34 | + |
| 35 | +- This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x** |
| 36 | + |
| 37 | +Thank you, to yushengchen for reporting this vulnerability and thank you mcollina for fixing it. |
| 38 | + |
| 39 | +## Node.js Permission Model bypass: UDS server bind/listen works without `--allow-net` (CVE-2026-21711) - (Medium) |
| 40 | + |
| 41 | +A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. |
| 42 | + |
| 43 | +As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary. |
| 44 | + |
| 45 | +- This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature. |
| 46 | + |
| 47 | +Thank you, to xavlimsg for reporting this vulnerability and thank you RafaelGSS for fixing it. |
| 48 | + |
| 49 | +## Assertion error in `node_url.cc` via malformed URL format leads to Node.js crash (CVE-2026-21712) - (Medium) |
| 50 | + |
| 51 | +A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process. |
| 52 | + |
| 53 | +- This vulnerability affects **24.x and 25.x**. |
| 54 | + |
| 55 | +Thank you, to wooffie for reporting this vulnerability and thank you RafaelGSS for fixing it. |
| 56 | + |
| 57 | +## Timing side-channel in HMAC verification via `memcmp()` in `crypto_hmac.cc` leads to potential MAC forgery (CVE-2026-21713) - (Medium) |
| 58 | + |
| 59 | +A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. |
| 60 | + |
| 61 | +Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. |
| 62 | + |
| 63 | +- This vulnerability affects **20.x, 22.x, 24.x, and 25.x**. |
| 64 | + |
| 65 | +Thank you, to x_probe for reporting this vulnerability and thank you panva for fixing it. |
| 66 | + |
| 67 | +## Memory leak in Node.js HTTP/2 server via `WINDOW_UPDATE` on stream 0 leads to resource exhaustion (CVE-2026-21714) - (Medium) |
| 68 | + |
| 69 | +A memory leak occurs in Node.js HTTP/2 servers when a client sends `WINDOW_UPDATE` frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. |
| 70 | + |
| 71 | +- This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25. |
| 72 | + |
| 73 | +Thank you, to galbarnahum for reporting this vulnerability and thank you RafaelGSS for fixing it. |
| 74 | + |
| 75 | +## HashDoS in V8 (CVE-2026-21717) - (Medium) |
| 76 | + |
| 77 | +A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. |
| 78 | + |
| 79 | +The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. |
| 80 | + |
| 81 | +- This vulnerability affects **20.x, 22.x, 24.x, and 25.x**. |
| 82 | + |
| 83 | +Thank you, to sharp_edged for reporting this vulnerability and thank you joyeecheung for fixing it. |
| 84 | + |
| 85 | +## Permission Model Bypass in realpathSync.native Allows File Existence Disclosure (CVE-2026-21715) - (Low) |
| 86 | + |
| 87 | +A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. |
| 88 | + |
| 89 | +As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories. |
| 90 | + |
| 91 | +- This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted. |
| 92 | + |
| 93 | +Thank you, to stif for reporting this vulnerability and thank you RafaelGSS for fixing it. |
| 94 | + |
| 95 | +## CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown (CVE-2026-21716) - (Low) |
| 96 | + |
| 97 | +An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. |
| 98 | + |
| 99 | +As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions. |
| 100 | + |
| 101 | +- This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted. |
| 102 | + |
| 103 | +Thank you, to wooseokdotkim for reporting this vulnerability and thank you RafaelGSS for fixing it. |
| 104 | + |
| 105 | +## Downloads and release details |
| 106 | + |
| 107 | +- [Node.js v20.20.2](/blog/release/v20.20.2/) |
| 108 | +- [Node.js v22.22.2](/blog/release/v22.22.2/) |
| 109 | +- [Node.js v24.14.1](/blog/release/v24.14.1/) |
| 110 | +- [Node.js v25.8.2](/blog/release/v25.8.2/) |
| 111 | + |
10 | 112 | # Summary |
11 | 113 |
|
12 | 114 | The Node.js project will release new versions of the 25.x, 24.x, 22.x, 20.x |
|
0 commit comments