CVE-2026-21710 PUBLISHED

Assigner: hackerone
Reserved: 04.01.2026 Published: 30.03.2026 Updated: 31.03.2026

A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named __proto__ and the application accesses req.headersDistinct.

When this occurs, dest["__proto__"] resolves to Object.prototype rather than undefined, causing .push() to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by error event listeners, meaning it cannot be handled without wrapping every req.headersDistinct access in a try/catch.

  • This vulnerability affects all Node.js HTTP servers on 20.x, 22.x, 24.x, and v25.x

Metrics

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Product Status

Vendor nodejs
Product node
Versions Default: unaffected
  • affected from 20.20.1 to 20.20.1 (incl.)
  • affected from 22.22.1 to 22.22.1 (incl.)
  • affected from 24.14.0 to 24.14.0 (incl.)
  • affected from 25.8.1 to 25.8.1 (incl.)
  • affected from 4.0 to 4.* (excl.)
  • affected from 5.0 to 5.* (excl.)
  • affected from 6.0 to 6.* (excl.)
  • affected from 7.0 to 7.* (excl.)
  • affected from 8.0 to 8.* (excl.)
  • affected from 9.0 to 9.* (excl.)
  • affected from 10.0 to 10.* (excl.)
  • affected from 11.0 to 11.* (excl.)
  • affected from 12.0 to 12.* (excl.)
  • affected from 13.0 to 13.* (excl.)
  • affected from 14.0 to 14.* (excl.)
  • affected from 15.0 to 15.* (excl.)
  • affected from 16.0 to 16.* (excl.)
  • affected from 17.0 to 17.* (excl.)
  • affected from 18.0 to 18.* (excl.)
  • affected from 19.0 to 19.* (excl.)

References