The Node.js project released a critical security update on March 24, 2026, for the Long-Term Support (LTS) branch, designating version 20.20.2 ‘Iron’ as a security release.
The update resolves seven tracked vulnerabilities spanning TLS error handling, HTTP/2 flow control, cryptographic timing leaks, permission model bypasses, and a V8 hash-table weakness, several of which can be triggered remotely without authentication.
Critical TLS SNICallback Flaw Enables Remote Process Crash
The most severe issue in this batch is CVE-2026-21637 (rated High), an incomplete fix of a prior TLS vulnerability by the same identifier. A flaw in Node.js TLS error handling leaves SNICallback invocations unprotected against synchronous exceptions, while equivalent ALPN and PSK callbacks were already addressed earlier.
When a TLS client sends an unexpected servername value, the thrown exception bypasses all TLS error handlers and propagates as an uncaught exception, crashing the Node.js process outright.
The fix, contributed by Matteo Collina, wraps SNICallback invocations in a try/catch block. Any TLS server operating on versions 20.x, 22.x, 24.x, or 25.x where SNICallback may throw is affected.
HTTP/2 Flow Control Error Triggers Memory Leak and DoS
CVE-2026-21714 (Medium) affects Node.js HTTP/2 servers and involves unhandled NGHTTP2_ERR_FLOW_CONTROL error codes. A malicious client can send malformed WINDOW_UPDATE frames on stream 0, triggering a memory leak in the server process over repeated connections.
Left unaddressed, this leads to resource exhaustion and eventually to denial-of-service. RafaelGSS authored the fix, adding explicit handling for this nghttp2 error code in the Node.js source layer.
V8 HashDoS via Array Index Collision
CVE-2026-21717 (Medium) targets V8’s internal string hashing mechanism, which hashes integer-like strings to their numeric values — making hash collisions trivially predictable.
By crafting a payload that forces many such collisions, most commonly via JSON.parse() on attacker-controlled input, an adversary can significantly degrade the performance of the Node.js process in a classic HashDoS attack. This fix, contributed by Joyee Cheung, was applied across the deps, build, and test layers.
Cryptographic Timing Oracle in HMAC Verification
CVE-2026-21713 (Medium) introduces a timing side-channel in Node.js Web Cryptography HMAC verification. The flaw arises from using a non-constant-time memcmp() comparison when validating user-provided HMAC signatures, leaking timing information proportional to the number of matching bytes.
Under high-resolution measurement conditions, this can serve as a timing oracle to infer HMAC values. Filip Skokan resolved this by replacing the comparison with a timing-safe primitive already available in the codebase.
Permission Model Bypasses
Two low-severity permission model bypasses were also patched. CVE-2026-21715 allows code running under --permission with restricted --allow-fs-read to use fs.realpathSync.native() to disclose file existence and resolve symlink paths outside permitted directories.
CVE-2026-21716 extends coverage to lib/fs/promises, which similarly lacked permission enforcement. Both were fixed by RafaelGSS. Additionally, CVE-2026-21710 addresses a HTTP header prototype pollution vector by using a null-prototype object for headersDistinct and trailersDistinct fields.
Vulnerability Summary
| CVE | Severity | Component | Impact |
|---|---|---|---|
| CVE-2026-21637 | High | TLS / SNICallback | Remote process crash |
| CVE-2026-21717 | Medium | V8 / JSON parsing | HashDoS / CPU exhaustion |
| CVE-2026-21713 | Medium | Web Crypto / HMAC | Timing oracle / MAC forgery |
| CVE-2026-21714 | Medium | HTTP/2 / nghttp2 | Memory leak / DoS |
| CVE-2026-21710 | Medium | HTTP headers | Prototype pollution |
| CVE-2026-21716 | Low | Permission Model (fs/promises) | Filesystem path disclosure |
| CVE-2026-21715 | Low | Permission Model (realpath) | Filesystem path disclosure |
Developers and system administrators are urged to upgrade immediately to the patched releases: v20.20.2, v22.22.2, v24.14.1, or v25.8.2.
Given that CVE-2026-21637 requires no authentication and directly causes process termination, environments hosting publicly accessible TLS servers should treat this upgrade as a critical priority.
Installers and binaries are available across Windows, macOS, Linux (x64, ARM, PPC, s390x), and AIX platforms via the official Node.js distribution channel.
