March 2026 Node.js Security Release: Eight CVEs Patched, Including Two High-Severity Process Crashes
How the final upstream security release before Node.js 20 EOL exposes the widening gap for teams on unsupported versions
Open source powers the modern software stack, but its security depends on a shared commitment to finding and fixing weaknesses before they become incidents.
At HeroDevs, that's our mission: secure open source. We do it in two ways:
- Remediating known CVEs across critical ecosystems, and
- Proactively researching vulnerabilities before attackers can exploit them.
On March 24, 2026, the Node.js project released security patches across all four active release lines: v20.20.2, v22.22.2, v24.14.1, and v25.8.2. The batch includes two High-severity denial-of-service vulnerabilities that crash the Node.js process without authentication, four Medium-severity issues spanning HTTP/2 resource exhaustion, cryptographic timing leaks, permission model bypasses, and URL parsing crashes, plus two Low-severity permission model fixes.
The timing matters. Node.js 20 reaches end of life on April 30, 2026, less than five weeks away. This March batch is likely the last (or one of the last) upstream security releases that Node.js 20 will ever receive. After April 30, new CVEs affecting Node.js 20 will not receive community patches. Node.js 18 and earlier are already EOL and receive no patches at all.
This post summarizes what was disclosed, which versions are affected, and what the EOL timeline means for teams that cannot immediately upgrade.
CVEs and Versions Affected
High-severity vulnerabilities
CVE-2026-21637: Incomplete TLS SNICallback fix enables remote process crash
CVE-2026-21637 is a remote Denial of Service caused by incomplete error handling in the TLS layer.
This CVE was originally disclosed in the January 2026 Node.js security release at Medium severity, where the fix addressed synchronous exceptions in the pskCallback and ALPNCallback code paths. However, the loadSNI() function in _tls_wrap.js was not wrapped with the same try/catch protection.
When a TLS client sends an unexpected servername value and the SNICallback throws synchronously, the exception bypasses all TLS error handlers and propagates as an uncaught exception, crashing the Node.js process immediately.
Why the severity escalated to High: SNI (Server Name Indication) is more commonly configured than PSK or ALPN callbacks in production TLS servers. The attack requires no authentication, no special privileges, and no user interaction. Any publicly exposed TLS server running an SNICallback that can throw on malformed input is vulnerable.
CVSS v3.1: 7.5 (High) Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected versions: Node.js 20.x, 22.x, 24.x, and 25.x (all versions that received the original January 2026 CVE-2026-21637 fix).
CVE-2026-21710: __proto__ header name crashes Node.js HTTP servers
CVE-2026-21710 is a remote Denial of Service in Node.js HTTP request handling.
When an HTTP request is received with a header named __proto__ and the application accesses req.headersDistinct, the property lookup resolves to Object.prototype instead of undefined. Node.js then calls .push() on a non-array object, triggering an uncaught TypeError that crashes the process.
This is particularly dangerous because the error is thrown synchronously inside a property getter. Standard error event listeners cannot intercept it. The only way to prevent the crash without patching is to wrap every req.headersDistinct access in a try/catch block, which is impractical in production codebases and impossible in third-party middleware.
CVSS v3.1: 7.5 (High) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected versions: All Node.js HTTP servers on 20.x, 22.x, 24.x, and 25.x.
Medium-severity vulnerabilities
CVE-2026-21714: HTTP/2 memory leak via WINDOW_UPDATE on stream 0
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on the connection-level stream (stream 0) that push the flow control window beyond the maximum value of 2³¹-1. The server correctly responds with a GOAWAY frame, but the Http2Session object is never cleaned up.
A remote attacker can exploit this by opening repeated connections and triggering the leak, eventually exhausting server memory and causing resource exhaustion.
Affected versions: 20.x, 22.x, 24.x, 25.x.
CVE-2026-21713: HMAC timing side-channel via non-constant-time comparison
Node.js Web Cryptography HMAC verification uses memcmp(), a non-constant-time comparison function, when validating user-provided signatures. This leaks timing information proportional to the number of matching bytes.
Under threat models where high-resolution timing measurements are possible (for example, co-located services or high-frequency network probing), an attacker could use this as a timing oracle to infer valid HMAC values. The fix replaces memcmp() with a constant-time comparison.
Affected versions: 20.x, 22.x, 24.x, 25.x.
CVE-2026-21712: URL assertion failure crashes Node.js process
A malformed internationalized domain name (IDN) passed to url.format() triggers an assertion failure in node_url.cc, immediately crashing the Node.js process. Any application that processes user-supplied URLs through the url.format() API without pre-validation is exposed.
Affected versions: 24.x and 25.x only.
CVE-2026-21711: Permission Model bypass allows UDS server without --allow-net
A gap in the Node.js Permission Model network enforcement allows Unix Domain Socket (UDS) servers to bind and listen without the required --allow-net flag. Code running under --permission without --allow-net can create local IPC endpoints, enabling communication with other processes outside the intended network restriction boundary.
Note: the --allow-net flag is currently experimental.
Affected versions: 25.x only.
Additional fixes (Low severity)
The March release also addresses two Low-severity Permission Model bypasses:
CVE-2026-21715 allows fs.realpathSync.native() to bypass read permission checks, enabling file existence disclosure outside permitted directories.
CVE-2026-21716 is an incomplete fix for CVE-2024-36137 that leaves FileHandle.chmod() and FileHandle.chown() in the promises API without permission enforcement, while their callback-based equivalents were correctly patched.
Both affect 20.x, 22.x, 24.x, and 25.x under the Permission Model.
The EOL Exposure Gap
The critical context for this security release is the Node.js version lifecycle.
Node.js 20 is still receiving patches today, but the window is closing. After April 30, any new CVE disclosure that affects Node.js 20 will receive fixes only for Node.js 22, 24, and subsequent releases. Node.js 20 users will be exposed with no upstream fix.
Node.js 18 and earlier are already in this situation. They received no patches from this March 2026 release and will not receive patches for any future CVEs.
This is exactly the gap NES for Node.js is designed to fill. HeroDevs already ships patched builds for Node.js 20 and 22 that include remediations for these March 2026 CVEs, and continues to resolve vulnerabilities in Node.js 18, 16, 14, and 12 that receive no upstream attention.
Why this Batch Matters
Two patterns in this release are worth highlighting:
1. Incomplete fix recurrence. CVE-2026-21637 was originally disclosed in January 2026 as a Medium-severity issue affecting PSK and ALPN callbacks. The March release reveals that the same vulnerability class (unhandled synchronous exceptions in TLS callbacks) was left unaddressed in the SNICallback path. The severity escalated to High because SNI is more commonly deployed. This is a reminder that a single CVE disclosure does not always mean the entire attack surface has been addressed: variations and incomplete fixes are a recurring pattern in security work.
2. Prototype pollution as a DoS vector. CVE-2026-21710 is a clean demonstration of how JavaScript's prototype chain can be weaponized in server-side contexts. A single HTTP header named __proto__ is enough to crash a Node.js process if the application touches req.headersDistinct. The fix creates headersDistinct and trailersDistinct using a null-prototype object, preventing the prototype chain lookup. This is the kind of language-level footgun that frameworks must guard against, because application developers cannot reasonably defend against it in userland.
Mitigation Guidance
Frequently Asked Questions
Does NES for Node.js cover all nine CVEs in the March 2026 security release?
Yes. HeroDevs patched builds for Node NES include remediations for all nine CVEs disclosed in the March 24, 2026 release, including both High-severity process crashes (CVE-2026-21637 and CVE-2026-21710). Node NES also continues to remediate new CVEs after Node.js 20 reaches end of life on April 30, 2026.
What happens to my Node.js 20 application after April 30, 2026?
The Node.js project will stop issuing security patches for Node.js 20. Any CVE disclosed after that date will receive upstream fixes only for Node.js 22, 24, and later, leaving Node.js 20 permanently exposed without a patch. NES for Node.js fills that gap with ongoing vulnerability remediation for versions 12 through 22.
Do I need to change my code to use HeroDevs Node NES?
No. Node NES provides drop-in patched builds that replace your existing Node.js runtime. There are no API changes, no dependency updates, and no modifications required to your application code.
Is HeroDevs an official Node.js support provider?
HeroDevs is a founding member of the OpenJS Foundation's Ecosystem Sustainability Program (ESP), the formal framework through which commercial vendors provide long-term support for Node.js and other OpenJS projects. NES for Node.js is sanctioned through that program.
Taking action
The March 2026 Node.js security release is a timely illustration of why end-of-life software creates compounding risk. Two remotely exploitable, unauthenticated process crashes landed in a single batch, and Node.js 20 has fewer than 30 days of upstream support remaining. Node.js 18 and earlier receive nothing at all.
For teams running Node.js 20 in production, this is the moment to decide: upgrade to Node.js 22 or 24 before April 30, or ensure you have a plan for ongoing security coverage.
If your team can't complete a migration to Node.js 22 or 24 before April 30, NES for Node.js provides drop-in patched builds for versions 12 through 20, including remediations for all nine CVEs in this release. HeroDevs is the founding member of the OpenJS Foundation's Ecosystem Sustainability Program, and NES patches for the March 2026 batch are available today.
Related:
.png)
.png)