CVE-2026-21637

Summary

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.

Affected Software

VendorProductVersion RangeStatus
nodejsnode20.19.6 <= 20.19.6affected
nodejsnode22.21.1 <= 22.21.1affected
nodejsnode24.12.0 <= 24.12.0affected
nodejsnode25.2.1 <= 25.2.1affected
nodejsnode4.0 < 4.*affected
nodejsnode5.0 < 5.*affected
nodejsnode6.0 < 6.*affected
nodejsnode7.0 < 7.*affected
nodejsnode8.0 < 8.*affected
nodejsnode9.0 < 9.*affected
nodejsnode10.0 < 10.*affected
nodejsnode11.0 < 11.*affected
nodejsnode12.0 < 12.*affected
nodejsnode13.0 < 13.*affected
nodejsnode14.0 < 14.*affected
nodejsnode15.0 < 15.*affected
nodejsnode16.0 < 16.*affected
nodejsnode17.0 < 17.*affected
nodejsnode18.0 < 18.*affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References