Node.js patches seven vulnerabilities that can crash apps and trigger DoS attacks
5 min. read 
Published on
The Node.js project shipped a security release on March 24, 2026, and developers should treat it as an important update if they run public-facing services. Node.js 20.20.2 for the Iron LTS line fixes seven vulnerabilities across TLS, HTTP/2, Web Crypto, the permission model, HTTP header handling, and V8-related hash collision behavior.
The most urgent issue in the batch is a high-severity flaw tied to SNICallback, which can crash a Node.js process if a TLS server handles a crafted servername value and the callback throws synchronously. Node.js says the fix wraps the SNICallback invocation in a try/catch, which prevents the exception from escaping as an uncaught process-killing error.
This release matters because several of the patched issues can be triggered remotely and do not depend on authentication. In practice, that means exposed Node.js services could face process crashes, memory leaks, CPU exhaustion, or information disclosure if they stay on older builds.
The TLS flaw is the biggest concern
Node.js lists CVE-2026-21637 as a fix for SNICallback handling in TLS. The problem was not in all TLS processing equally. According to the project, equivalent ALPN and PSK callback protections had already been addressed earlier, but SNICallback still needed the same protection.
That matters for operators because an uncaught exception in a Node.js process can bring down the service immediately. If your application uses TLS and custom SNICallback logic, this is the issue to prioritize first.
Other fixes cover HTTP/2, HMAC verification, and permission checks
Another important fix is CVE-2026-21714, where Node.js now handles the NGHTTP2_ERR_FLOW_CONTROL error code. The underlying risk described in your sample, namely a malicious client driving a memory leak and denial of service through malformed HTTP/2 flow-control behavior, matches the kind of fix Node.js applied here. The official release notes confirm the patch, even though they summarize it more briefly than the sample article.
Node.js also fixed CVE-2026-21713 by switching Web Cryptography HMAC and KMAC verification to a timing-safe comparison. That change closes a timing side-channel problem that could otherwise leak information through byte-by-byte comparison behavior.
Two lower-severity fixes target the permission model. Node.js says it added permission checks to lib/fs/promises and to realpath.native, closing gaps that could otherwise expose path information outside the intended allowed scope.
The release also addresses HashDoS and prototype pollution risk
Node.js says CVE-2026-21717 fixes an array index hash collision issue. Your sample framed this as a V8 HashDoS problem that can degrade performance through predictable collisions, especially with attacker-controlled input. The official release notes do confirm the fix, and the Node.js blog index also highlights a dedicated vulnerability post about developing a minimally HashDoS-resistant integer hash for V8.
The release also fixes CVE-2026-21710 by using a null-prototype object for headersDistinct and trailersDistinct. That change reduces prototype pollution risk in HTTP header handling.
Vulnerability summary
| CVE | Severity | Area | Main risk |
|---|---|---|---|
| CVE-2026-21637 | High | TLS / SNICallback | Remote process crash |
| CVE-2026-21714 | Medium | HTTP/2 | Memory leak and DoS |
| CVE-2026-21717 | Medium | V8 / hash collision | CPU exhaustion or slowdown |
| CVE-2026-21713 | Medium | Web Crypto | Timing side-channel in HMAC/KMAC verification |
| CVE-2026-21710 | Medium | HTTP | Prototype pollution risk |
| CVE-2026-21716 | Low | Permission model | Missing permission check in fs/promises |
| CVE-2026-21715 | Low | Permission model | Missing permission check in realpath.native |
The table above reflects the official Node.js release notes plus the technical framing in your sample, which largely aligns with the public patch list.
Fixed versions
Node.js published the March 24, 2026 security releases across supported branches. The patched versions are:
- Node.js 20.20.2 for Iron LTS
- Node.js 22.22.2 for LTS
- Node.js 24.14.1 for LTS
- Node.js 25.8.2 for Current
Why developers should update now
This is the kind of release that affects both app stability and internet-facing risk. The TLS crash bug alone gives teams a strong reason to update quickly, but the combination of HTTP/2 handling issues, timing-safe crypto fixes, permission model corrections, and hash-collision hardening makes the overall release more important than a typical maintenance patch.
Teams that expose Node.js services to the internet should move first, especially if they terminate TLS in Node itself or rely on HTTP/2. Internal services should still update because the patched issues are spread across core runtime components that affect security boundaries, performance, and error handling.
What admins and developers should do
- Upgrade to the patched release for your supported branch
- Review any custom TLS
SNICallbackusage - Test HTTP/2 services after patching
- Recheck applications that rely on the permission model
- Prioritize internet-facing Node.js services first
FAQ
The most serious fix is CVE-2026-21637, a high-severity TLS SNICallback issue that can crash a Node.js process if a synchronous exception escapes callback handling.
Node.js released 20.20.2, 22.22.2, 24.14.1, and 25.8.2 as security updates on March 24, 2026.
No. The fixes also cover HTTP/2, Web Crypto, the permission model, HTTP header handling, and V8-related hash collision behavior.
Yes. Based on the official patch list and the technical details in your sample, several of the issues can lead to process crashes, memory leaks, CPU exhaustion, or related denial-of-service conditions.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages