Node.js Releases Critical Security Update to Address Multiple Vulnerabilities
On March 24, 2026, the Node.js project announced a significant security update for its Long-Term Support (LTS) branch, introducing version 20.20.2, codenamed ‘Iron.’ This release addresses seven identified vulnerabilities that could potentially lead to denial-of-service (DoS) attacks, process crashes, and other security concerns.
Key Vulnerabilities Addressed:
1. TLS SNICallback Flaw (CVE-2026-21637):
– Severity: High
– Description: An incomplete fix in the TLS error handling mechanism left the `SNICallback` function vulnerable to synchronous exceptions. If a TLS client sends an unexpected `servername` value, the resulting exception could bypass all TLS error handlers, leading to an unhandled exception and causing the Node.js process to crash.
– Affected Versions: 20.x, 22.x, 24.x, 25.x
– Resolution: The update wraps `SNICallback` invocations in a `try/catch` block to handle exceptions appropriately, preventing process crashes.
2. HTTP/2 Flow Control Error (CVE-2026-21714):
– Severity: Medium
– Description: A flaw in the HTTP/2 server implementation allowed malicious clients to send malformed `WINDOW_UPDATE` frames on stream 0. This could trigger a memory leak in the server process over repeated connections, potentially leading to resource exhaustion and a denial-of-service condition.
– Resolution: The update introduces explicit handling for the `NGHTTP2_ERR_FLOW_CONTROL` error code, mitigating the risk of memory leaks.
3. V8 HashDoS via Array Index Collision (CVE-2026-21717):
– Severity: Medium
– Description: The V8 engine’s internal string hashing mechanism was susceptible to predictable hash collisions. By crafting payloads that force numerous collisions, an attacker could degrade the performance of the Node.js process, leading to a HashDoS attack.
– Resolution: The update addresses this vulnerability by enhancing the hashing mechanism to prevent predictable collisions.
4. Cryptographic Timing Oracle in HMAC Verification (CVE-2026-21713):
– Severity: Medium
– Description: The Web Cryptography HMAC verification process used a non-constant-time `memcmp()` function for comparing user-provided HMAC signatures. This could leak timing information proportional to the number of matching bytes, potentially allowing attackers to infer HMAC values through timing analysis.
– Resolution: The update replaces the vulnerable comparison function with a timing-safe alternative to eliminate the side-channel risk.
5. Permission Model Bypasses (CVE-2026-21715 and CVE-2026-21716):
– Severity: Low
– Description: Two vulnerabilities were identified in the permission model:
– CVE-2026-21715: Code running under `–permission` with restricted `–allow-fs-read` could use `fs.realpathSync.native()` to disclose file existence and resolve symlink paths outside permitted directories.
– CVE-2026-21716: Similar issues were present in the `lib/fs/promises` module, lacking proper permission enforcement.
– Resolution: The update enforces permission checks in these modules to prevent unauthorized file system access.
6. HTTP Header Prototype Pollution (CVE-2026-21710):
– Severity: Medium
– Description: A vulnerability in the HTTP headers allowed prototype pollution through the `headersDistinct` and `trailersDistinct` fields. This could enable attackers to manipulate object prototypes, leading to unexpected behavior or security issues.
– Resolution: The update uses null-prototype objects for these fields to prevent prototype pollution.
Recommendations:
Node.js users, especially those operating servers or applications exposed to untrusted networks, are strongly advised to upgrade to version 20.20.2 or later to mitigate these vulnerabilities. Regularly updating to the latest security releases is crucial to maintain the integrity and security of applications.
