CVE-2026-21710 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-21710

CVE-2026-21710

Published:March 30, 2026

Updated:April 23, 2026

A flaw in Node.js HTTP request handling causes an uncaught "TypeError" when a request is received with a header named "__proto__" and the application accesses "req.headersDistinct". When this occurs, "dest["__proto__"]" resolves to "Object.prototype" rather than "undefined", causing ".push()" to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by "error" event listeners, meaning it cannot be handled without wrapping every "req.headersDistinct" access in a "try/catch". * This vulnerability affects all Node.js HTTP servers on 20.x, 22.x, 24.x, and v25.x

Affected Packages

https://github.com/nodejs/node.git (GITHUB):

Affected version(s) >=v22.0.0 <v22.22.2

Fix Suggestion:

Update to version v22.22.2

https://github.com/nodejs/node.git (GITHUB):

Affected version(s) >=v24.0.0 <v24.14.1

Fix Suggestion:

Update to version v24.14.1

https://github.com/nodejs/node.git (GITHUB):

Affected version(s) >=v20.0.0 <v20.20.2

Fix Suggestion:

Update to version v20.20.2

https://github.com/nodejs/node.git (GITHUB):

Affected version(s) >=v25.0.0 <v25.8.2

Fix Suggestion:

Update to version v25.8.2

Additional Notes

The description of this vulnerability differs from MITRE.

Related Resources (1)

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

Do you need more information?

CVSS v3

Base Score:

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Weakness Type (CWE)

Allocation of Resources Without Limits or Throttling

CWE-770

EPSS

Base Score:

0.02

Products

Solutions

Resources

Company

Compare

Developer Tools