CVE-2026-21713 PUBLISHED

Assigner: hackerone
Reserved: 04.01.2026 Published: 30.03.2026 Updated: 30.03.2026

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.

Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.

This vulnerability affects 20.x, 22.x, 24.x, and 25.x.

Metrics

CVSS 3.0

CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 5.9

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.0

Product Status

Vendor	nodejs
Product	node
Versions	Default: unaffected affected from 20.20.1 to 20.20.1 (incl.) affected from 22.22.1 to 22.22.1 (incl.) affected from 24.14.0 to 24.14.0 (incl.) affected from 25.8.1 to 25.8.1 (incl.) affected from 4.0 to 4.* (excl.) affected from 5.0 to 5.* (excl.) affected from 6.0 to 6.* (excl.) affected from 7.0 to 7.* (excl.) affected from 8.0 to 8.* (excl.) affected from 9.0 to 9.* (excl.) affected from 10.0 to 10.* (excl.) affected from 11.0 to 11.* (excl.) affected from 12.0 to 12.* (excl.) affected from 13.0 to 13.* (excl.) affected from 14.0 to 14.* (excl.) affected from 15.0 to 15.* (excl.) affected from 16.0 to 16.* (excl.) affected from 17.0 to 17.* (excl.) affected from 18.0 to 18.* (excl.) affected from 19.0 to 19.* (excl.)

References

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases