CVE-2026-21710

CVSS 7.5 HIGHEPSS 13.1%CWE-770

In short

A Node.js HTTP server crashes with an unhandled error when receiving a request with a header named `__proto__` if the application reads `req.headersDistinct`. This denial-of-service flaw cannot be caught by normal error handlers, forcing developers to add extra protection around header access.

Technical detail

The vulnerability exploits prototype pollution via HTTP header injection; when `__proto__` header is present and `req.headersDistinct` is accessed, the property getter resolves `dest["__proto__"]` to `Object.prototype` instead of undefined, causing a synchronous TypeError when `.push()` is called on the prototype object. This exception cannot be intercepted by error event listeners, enabling unauthenticated DoS against Node.js HTTP servers on versions 20.x, 22.x, 24.x, and 25.x.

Summary generated and translated by AI from the official description.

A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

nodejs · node

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases