Node.js patches high-severity DoS flaws in TLS and HTTP request handling
Node.js released security updates for supported 20.x, 22.x, 24.x, and 25.x branches to fix two high-severity, five medium-severity, and two low-severity vulnerabilities, with patched versions issued as v20.20.2, v22.22.2, v24.14.1, and v25.8.2. The most serious bug, CVE-2026-21637, was an incomplete fix in TLS SNICallback handling that could be triggered remotely to cause an uncaught exception and crash affected processes. A second high-severity issue, CVE-2026-21710, allowed specially crafted HTTP requests using a __proto__ header name to trigger a denial of service when applications accessed req.headersDistinct.
The release also addressed Permission Model bypasses, a native crash in URL formatting, a timing side-channel in HMAC verification, an HTTP/2 flow-control memory leak that could lead to memory exhaustion, and a V8 HashDoS weakness; Node.js also updated the undici dependency on 22.x, 24.x, and 25.x to remediate public vulnerabilities. Debian published a corresponding nodejs security update, and the Canadian Centre for Cyber Security urged administrators to review vendor guidance and apply the patched releases, with internet-facing TLS servers identified as the highest-priority systems for remediation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Node.js releases June 2026 security updates
Node.js published a product advisory for its Wednesday, June 17, 2026 security releases. This is a new vendor security release distinct from the March 2026 advisories already in the timeline.
Canadian Centre for Cyber Security issues AV26-277
On March 25, 2026, the Canadian Centre for Cyber Security published advisory AV26-277 about the Node.js vulnerabilities. It recommended that users and administrators review the vendor guidance and apply the necessary updates for affected Node.js 20, 22, 24, and 25 versions.
Node.js publishes HashDoS technical advisory for V8
Node.js published a technical advisory titled "Developing a minimally HashDoS resistant, yet quickly reversible integer hash for V8." This documented technical details related to the HashDoS issue addressed in the March 2026 security releases.
Node.js releases March 2026 security updates
On March 24, 2026, Node.js published security advisories and patched releases for the 20.x, 22.x, 24.x, and 25.x lines. The updates fixed two high-severity, five medium-severity, and two low-severity issues, including CVE-2026-21637 and an HTTP denial-of-service flaw, with patched versions v20.20.2, v22.22.2, v24.14.1, and v25.8.2.
Debian publishes DSA-6166-1 for Node.js security update
Debian issued security advisory DSA-6166-1 for Node.js. The reference indicates a Node.js security update was published by Debian on that date.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
oss-sec: Fwd: Node.js security updates for all active release lines, June 2026
seclists.org
Open sourceNode.js Fixes CVE-2026-21637 And Critical Flaws Now
thecyberexpress.com
Open sourceNodejs security advisory (AV26-277) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceNode.js Patches Multiple Vulnerabilities That Enable DoS Attacks and Process Crashes - Cyber Security News
cybersecuritynews.com
Open sourceNode.js - Developing a minimally HashDoS resistant, yet quickly reversible integer hash for V8
nodejs.org
Open sourceoss-sec: NodeJS Security Releases fixes High, 5 Medium, 2 Low severity issues
seclists.org
Open sourceNode.js - Tuesday, March 24, 2026 Security Releases
nodejs.org
Open source[SECURITY] [DSA 6166-1] nodejs security update
lists.debian.org
Open sourceNode.js - Wednesday, June 17, 2026 Security Releases
nodejs.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Node.js Patches 12 Flaws Including TLS Authentication Bypass and WebCrypto DoS
The Node.js project released security updates across its supported `22.x`, `24.x`, and `26.x` lines to fix 12 vulnerabilities, including two high-severity issues that prompted calls for immediate patching. The most serious bugs are **CVE-2026-48618**, a TLS hostname verification flaw caused by improper handling of Unicode dot separators that can lead to authentication bypass, and **CVE-2026-48933**, a WebCrypto AES integer overflow that can crash processes and enable remote denial-of-service. The releases were announced for all active Node.js lines through the project’s coordinated June security update process and public notices on the `oss-sec` mailing list.
Jun 22, 2026
Security Patches and Vulnerability Disclosures in Deno, glibc, and Go
Multiple upstream language/runtime and core library projects disclosed and/or patched significant vulnerabilities affecting widely deployed developer and production environments. **Deno** reported two issues: **CVE-2026-22863** (CVSS 9.2) in the `node:crypto` compatibility layer where `cipher.final()` fails to properly finalize/close cipher state, enabling “infinite encryptions” that could aid attacks aimed at learning server secrets; and **CVE-2026-22864**, a Windows-specific command execution weakness involving a bypass in `Deno.Command` protections when executing batch files, undermining intended shell-injection safeguards. **glibc** maintainers disclosed **CVE-2026-0861** (CVSS 8.4), an integer overflow in `memalign`, `posix_memalign`, and `aligned_alloc` affecting versions 2.30–2.42 that can lead to heap corruption when an attacker can control unusually large `size` values and alignment parameters, and **CVE-2026-0915**, a decades-old information leak in `getnetbyaddr`/`getnetbyaddr_r` affecting versions 2.0–2.42 that can expose uninitialized stack contents to DNS backends when querying a zero-valued network. Separately, the **Go** team released security updates (*Go* 1.25.6 and 1.24.12) addressing six vulnerabilities across the standard library (e.g., `archive/zip`, `net/http`, `crypto/tls`) and the toolchain, including a ZIP-processing CPU-exhaustion DoS (**CVE-2025-61728**) and toolchain issues that could enable command execution in certain developer/build scenarios; organizations running Go services or CI/build pipelines were advised to upgrade to the patched releases.
May 8, 2026
Critical React Server Components Flaws Expose Next.js App Router Deployments
Next.js disclosed a **critical remote code execution** vulnerability affecting applications that use the **App Router**, tracing the issue to the upstream React Server Components protocol as `CVE-2025-55182` and the downstream Next.js impact as `CVE-2025-66478`. The flaw carries a **CVSS 10.0** rating and can be triggered by attacker-controlled requests in unpatched environments, with maintainers warning that **no workaround exists**. Affected releases include multiple `15.x` and `16.x` branches and `14.3.0-canary.77` and later canary builds, while `13.x`, stable `14.x`, **Pages Router** applications, and the **Edge Runtime** were reported as unaffected. Next.js issued patched releases, published the `fix-react2shell-next` npm remediation tool, and advised organizations whose applications were online and unpatched at the disclosed cutoff to **rotate secrets after patching**. The company later reported two additional upstream React Server Components issues with downstream impact on Next.js App Router deployments: `CVE-2025-55184`, a **high-severity denial-of-service** flaw that can hang the server process through a crafted HTTP request, and `CVE-2025-55183`, a **medium-severity source code exposure** bug that can cause a Server Function to return compiled source code from other Server Functions. Next.js said neither new issue enables remote code execution and that the earlier React2Shell mitigation remains effective, but it also acknowledged that the initial fix for `CVE-2025-55184` was incomplete and was superseded by `CVE-2025-67779`, forcing some users to upgrade again. The affected range spans App Router deployments from `13.3` across several `14.x`, `15.x`, and `16.x` release lines, and the vendor again said **Pages Router** applications are not affected and urged immediate upgrades to the latest patched versions.
Mar 31, 2026