CVE-2026-21710

NameCVE-2026-21710
DescriptionA flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6183-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)bullseye12.22.12~dfsg-1~deb11u4vulnerable
bullseye (security)12.22.12~dfsg-1~deb11u7vulnerable
bookworm, bookworm (security)18.20.4+dfsg-1~deb12u1vulnerable
trixie20.19.2+dfsg-1vulnerable
trixie (security)20.19.2+dfsg-1+deb13u2fixed
forky, sid22.22.2+dfsg+~cs22.19.15-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nodejssourcetrixie20.19.2+dfsg-1+deb13u2DSA-6183-1
nodejssource(unstable)22.22.2+dfsg+~cs22.19.15-1

Notes

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#denial-of-service-via-__proto__-header-name-in-reqheadersdistinct-uncaught-typeerror-crashes-nodejs-process-cve-2026-21710---high
Fixed by: https://github.com/nodejs/node/commit/00ad47a28eb2e3dc0ff5610d58c53341acf3cf8d (v20.20.2)
Search for package or bug name: Reporting problems