Two high-severity TLS/HTTP flaws can crash production servers; requires immediate updates to 20.x, 22.x, 24.x, 25.x.
May 22, 2026
Summary
CVE-2026-21637 incomplete fix and __proto__ header handling affect any TLS server or HTTP server receiving untrusted input—both bypass error handlers entirely, making them unrecoverable without process restart. The HMAC timing oracle and HashDoS in JSON.parse() widen attack surface for cryptographic forgery and DoS.
Why it matters
CVE-2026-21637 incomplete fix and __proto__ header handling affect any TLS server or HTTP server receiving untrusted input—both bypass error handlers entirely, making them unrecoverable without process restart. The HMAC timing oracle and HashDoS in JSON.parse() widen attack surface for cryptographic forgery and DoS.
Implementation verdict
Update to Node.js v20.20.2, v22.22.2, v24.14.1, or v25.8.2 immediately if running TLS or HTTP servers. No configuration changes needed—patches are transparent. Permission Model users should also address UDS and fs.realpathSync.native() bypasses. Do not defer: both high-severity flaws crash processes on unexpected input.
Sources
Dev Signal
Get briefs like this in your inbox — free, every weekday.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.