Node.js patches nine vulnerabilities across active releases
Two high-severity TLS/HTTP flaws can crash production servers; requires immediate updates to 20.x, 22.x, 24.x, 25.x.
May 22, 2026
Summary
CVE-2026-21637 incomplete fix and __proto__ header handling affect any TLS server or HTTP server receiving untrusted input—both bypass error handlers entirely, making them unrecoverable without process restart. The HMAC timing oracle and HashDoS in JSON.parse() widen attack surface for cryptographic forgery and DoS.
Why it matters
CVE-2026-21637 incomplete fix and __proto__ header handling affect any TLS server or HTTP server receiving untrusted input—both bypass error handlers entirely, making them unrecoverable without process restart. The HMAC timing oracle and HashDoS in JSON.parse() widen attack surface for cryptographic forgery and DoS.
Implementation verdict
Update to Node.js v20.20.2, v22.22.2, v24.14.1, or v25.8.2 immediately if running TLS or HTTP servers. No configuration changes needed—patches are transparent. Permission Model users should also address UDS and fs.realpathSync.native() bypasses. Do not defer: both high-severity flaws crash processes on unexpected input.
Sources
- 1.Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS (CVE-2026-21637) - (High)
- 2.This security release includes the following dependency updates to address public vulnerabilities: undici (6.24.1, 7.24.4) on 22.x, 24.x, 25.x
- 3.2 high severity issues. 5 medium severity issues. 2 low severity issues.
- 4.When an SNICallback throws synchronously on unexpected input the exception bypasses TLS error handlers and propagates as an uncaught exception, crashing the Node.js process.
- 5.When this occurs, dest["__proto__"] resolves to Object.prototype rather than undefined, causing .push() to be called on a non-array.
Dev Signal
Get briefs like this in your inbox — free, 3x a week.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.