HIGHCVE-2026-21710Published Modified CNA hackerone
CVE-2026-21710: A flaw in Node
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
Metrics
- CVSS v3.0
- 7.5
- Severity
- HIGH
- Fixed in
- 4.*
- Affected Products
- 1
Fix available
4.*5.*6.*7.*8.*9.*10.*11.*12.*13.*14.*15.*16.*17.*18.*19.*
Affected packages
- nodejs / node≤ 20.20.1 · ≤ 22.22.1 · ≤ 24.14.0 · ≤ 25.8.1 · < 4.* (from 4.0) · < 5.* (from 5.0)
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences