CVE-2026-21710

216.73.217.22

· Published 30/03/2026 20:16 · Modified 31/03/2026 15:16

Labels: CVE-2026-21710 2026-03-30 CVE-2026-21710 CWE-770 [email protected]

Essential information

Published: 30/03/2026 20:16
Modified: 31/03/2026 15:16
Author: —
Creator: —
CVSS: 7.5 HIGH (v3.0)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS metrics

Description

A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
node.js / node.js	`cpe:2.3:a:node.js:node.js:20.:::::::`
node.js / node.js	`cpe:2.3:a:node.js:node.js:22.:::::::`
node.js / node.js	`cpe:2.3:a:node.js:node.js:24.:::::::`
node.js / node.js	`cpe:2.3:a:node.js:node.js:25.:::::::`