Node.js Denial of Service via crafted HTTP __proto__ header in req.headersDistinct
CVE-2026-21710 is a denial-of-service vulnerability in Node.js HTTP request handling. When a request contains an HTTP header named __proto__ and application code accesses req.headersDistinct, Node.js constructs the distinct-headers object in a way that allows dest["__proto__"] to resolve to Object.prototype instead of undefined. The implementation then attempts to call .push() on that value, producing an uncaught synchronous TypeError. Because the exception is thrown from within a property getter, it is not catchable through normal error event listeners and can terminate the Node.js process unless every access to req.headersDistinct is individually wrapped in try/catch. The issue affects Node.js HTTP servers on the 20.x, 22.x, 24.x, and 25.x release lines. Supporting content indicates the fix was to use a null-prototype object for headersDistinct and trailersDistinct.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
__proto__ header to trigger an uncaught exception when the target application accesses req.headersDistinct. Successful exploitation causes process termination and denial of service for the affected Node.js HTTP server. There is no indication in the provided content of code execution, privilege escalation, or confidentiality impact; the documented impact is service disruption through crash of the Node.js process.Mitigation
If you can’t patch tonight, do this now.
__proto__ from reaching vulnerable Node.js applications, for example at a reverse proxy, load balancer, WAF, or custom request-filtering layer. Avoid accessing req.headersDistinct on untrusted requests unless wrapped in explicit try/catch, as standard error event handlers will not intercept this exception. These are temporary mitigations only; patching is the reliable fix.Remediation
Patch, then assume compromise.
headersDistinct and trailersDistinct, preventing __proto__ from resolving through Object.prototype.Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a small, self-contained proof-of-concept for CVE-2026-21710, a Node.js denial-of-service vulnerability involving req.headersDistinct. The repo contains three files: README.md documenting the issue and usage, server.js implementing a deliberately vulnerable HTTP server, and poc.js implementing the exploit. The exploit is not part of a larger framework. The main exploit capability is remote, unauthenticated DoS. poc.js uses Node's net module to open a raw TCP connection to 127.0.0.1:3000 and manually sends HTTP/1.1 requests. It first sends a benign request to verify availability, then sends a malicious request containing the header __proto__, and finally performs a follow-up request to confirm the server has crashed. The exploit relies on the target application accessing req.headersDistinct; when the malicious header is processed, the internal accumulator uses a plain object and dest["__proto__"] resolves to Object.prototype, causing .push() to throw a synchronous TypeError. The result is process termination unless a top-level uncaughtException handler prevents exit. server.js is a demonstration target rather than part of the exploit payload. It binds an HTTP server to 127.0.0.1:3000 and immediately accesses req.headersDistinct inside the request handler, making it vulnerable by design. A normal server error listener is present, but comments correctly note that this listener does not catch the vulnerable exception path. Overall, this is a genuine POC exploit repository with clear reproduction steps, minimal code, and no post-exploitation behavior beyond service crash verification. It does not provide persistence, code execution, or lateral movement; its sole purpose is to demonstrate and validate the crash condition for affected Node.js versions.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A high-severity Node.js HTTP request processing vulnerability where a crafted proto header can trigger an uncaught TypeError via req.headersDistinct, potentially crashing applications.
A medium-severity Node.js HTTP header prototype pollution vulnerability affecting headersDistinct and trailersDistinct handling.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.