"CVE-2026-21637 stems from improper exception handling in the TLS layer, specifically in the loadSNI() function, which lacked a try/catch mechanism, exposing SNICallback executions to unhandled synchronous exceptions."
"The vulnerability can crash a Node.js process, leading to a potential Remote Denial of Service (DoS), particularly in environments where SNICallback may fail on malformed server name inputs."
"CVE-2026-21710 affects HTTP request processing, where a specially crafted request containing a proto header can trigger an uncaught TypeError when accessing req.headersDistinct."
The Node.js project has issued security updates for versions 20.x, 22.x, 24.x, and 25.x, addressing vulnerabilities including CVE-2026-21637 and CVE-2026-21710. CVE-2026-21637 involves improper exception handling in the TLS layer, leading to potential Remote Denial of Service risks. The update also addresses a high severity issue in HTTP request processing related to a proto header that can trigger uncaught TypeErrors. These vulnerabilities impact all affected Node.js versions, particularly in environments with malformed server name inputs.
Read at The Cyber Express
Unable to calculate read time
Collection
[
|
...
]