Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2026-21637

Good to know:

icon
icon

Date: January 20, 2026

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when "pskCallback" or "ALPNCallback" are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.

Severity Score

Related Resources (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-21637
https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
https://nodejs.org/en/blog/vulnerability/december-2025-security-releases#timeout-based-race-conditions-make-uint8arraybufferalloc-non-zerofilled-cve-2025-55131---high
https://www.mend.io/vulnerability-database/CVE-2026-21637

Severity Score

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

Top Fix

icon

Upgrade Version

Upgrade to version https://github.com/nodejs/node.git - v20.20.0;https://github.com/nodejs/node.git - v22.22.0;https://github.com/nodejs/node.git - v24.13.0;https://github.com/nodejs/node.git - v25.3.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us