CVE-2026-21710

Summary

A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named __proto__ and the application accesses req.headersDistinct.

When this occurs, dest["__proto__"] resolves to Object.prototype rather than undefined, causing .push() to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by error event listeners, meaning it cannot be handled without wrapping every req.headersDistinct access in a try/catch.

  • This vulnerability affects all Node.js HTTP servers on 20.x, 22.x, 24.x, and v25.x

Affected Software

VendorProductVersion RangeStatus
nodejsnode20.20.1 <= 20.20.1affected
nodejsnode22.22.1 <= 22.22.1affected
nodejsnode24.14.0 <= 24.14.0affected
nodejsnode25.8.1 <= 25.8.1affected
nodejsnode4.0 < 4.*affected
nodejsnode5.0 < 5.*affected
nodejsnode6.0 < 6.*affected
nodejsnode7.0 < 7.*affected
nodejsnode8.0 < 8.*affected
nodejsnode9.0 < 9.*affected
nodejsnode10.0 < 10.*affected
nodejsnode11.0 < 11.*affected
nodejsnode12.0 < 12.*affected
nodejsnode13.0 < 13.*affected
nodejsnode14.0 < 14.*affected
nodejsnode15.0 < 15.*affected
nodejsnode16.0 < 16.*affected
nodejsnode17.0 < 17.*affected
nodejsnode18.0 < 18.*affected
nodejsnode19.0 < 19.*affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

Node.js: Node.js: Denial of Service due to crafted HTTP __proto__ header

Additional References

References