VOOZH about

URL: https://nvd.nist.gov/vuln/detail/CVE-2026-21710

⇱ NVD - CVE-2026-21710


  1. Vulnerabilities

CVE-2026-21710 Detail

Awaiting Enrichment

This CVE record has been marked for NVD enrichment efforts.

Description

A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://access.redhat.com/errata/RHSA-2026:7080 redhat-SADP
https://access.redhat.com/errata/RHSA-2026:7123 redhat-SADP
https://access.redhat.com/errata/RHSA-2026:7302 redhat-SADP
https://access.redhat.com/errata/RHSA-2026:7310 redhat-SADP
https://access.redhat.com/errata/RHSA-2026:7350 redhat-SADP
https://access.redhat.com/errata/RHSA-2026:7670 redhat-SADP
https://access.redhat.com/errata/RHSA-2026:7675 redhat-SADP
https://access.redhat.com/errata/RHSA-2026:7896 redhat-SADP
https://access.redhat.com/errata/RHSA-2026:7983 redhat-SADP
https://access.redhat.com/errata/RHSA-2026:8339 redhat-SADP
https://access.redhat.com/errata/RHSA-2026:9711 redhat-SADP
https://access.redhat.com/errata/RHSA-2026:9874 redhat-SADP
https://access.redhat.com/security/cve/CVE-2026-21710 redhat-SADP
https://bugzilla.redhat.com/show_bug.cgi?id=2453151 redhat-SADP
https://nodejs.org/en/blog/vulnerability/march-2026-security-releases HackerOne
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21710.json redhat-SADP

Weakness Enumeration

CWE-ID CWE Name Source
CWE-770 Allocation of Resources Without Limits or Throttling CISA-ADP  
CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') redhat-SADP  

Change History

5 change records found show changes

CVE Modified by redhat-SADP 6/29/2026 11:17:24 PM

Action Type Old Value New Value
Added CVSS V3.1
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


Added CWE
CWE-843


Added Reference
https://access.redhat.com/errata/RHSA-2026:7080


Added Reference
https://access.redhat.com/errata/RHSA-2026:7123


Added Reference
https://access.redhat.com/errata/RHSA-2026:7302


Added Reference
https://access.redhat.com/errata/RHSA-2026:7310


Added Reference
https://access.redhat.com/errata/RHSA-2026:7350


Added Reference
https://access.redhat.com/errata/RHSA-2026:7670


Added Reference
https://access.redhat.com/errata/RHSA-2026:7675


Added Reference
https://access.redhat.com/errata/RHSA-2026:7896


Added Reference
https://access.redhat.com/errata/RHSA-2026:7983


Added Reference
https://access.redhat.com/errata/RHSA-2026:8339


Added Reference
https://access.redhat.com/errata/RHSA-2026:9711


Added Reference
https://access.redhat.com/errata/RHSA-2026:9874


Added Reference
https://access.redhat.com/security/cve/CVE-2026-21710


Added Reference
https://bugzilla.redhat.com/show_bug.cgi?id=2453151


Added Reference
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21710.json


Added Affected
[{"vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream EUS (v. 10.0)","defaultStatus":"affected","cpes":["cpe:/o:redhat:enterprise_linux_eus:10.0"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream (v. 10)","defaultStatus":"affected","cpes":["cpe:/o:redhat:enterprise_linux:10.1"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream (v. 8)","defaultStatus":"affected","cpes":["cpe:/a:redhat:enterprise_linux:8::appstream"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream EUS (v.9.4)","defaultStatus":"affected","cpes":["cpe:/a:redhat:rhel_eus:9.4::appstream"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream EUS (v.9.6)","defaultStatus":"affected","cpes":["cpe:/a:redhat:rhel_eus:9.6::appstream"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux AppStream (v. 9)","defaultStatus":"affected","cpes":["cpe:/a:redhat:enterprise_linux:9::appstream"]}]


CVE Modified by CISA-ADP 6/17/2026 6:18:57 AM

Action Type Old Value New Value
Added SSVC
{"timestamp":"2026-03-31T13:55:20.665443Z","id":"CVE-2026-21710","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}


CVE Modified by HackerOne 6/17/2026 6:18:57 AM

Action Type Old Value New Value
Added Affected
[{"vendor":"nodejs","product":"node","defaultStatus":"unaffected","versions":[{"version":"20.20.1","lessThanOrEqual":"20.20.1","versionType":"semver","status":"affected"},{"version":"22.22.1","lessThanOrEqual":"22.22.1","versionType":"semver","status":"affected"},{"version":"24.14.0","lessThanOrEqual":"24.14.0","versionType":"semver","status":"affected"},{"version":"25.8.1","lessThanOrEqual":"25.8.1","versionType":"semver","status":"affected"},{"version":"4.0","lessThan":"4.*","versionType":"semver","status":"affected"},{"version":"5.0","lessThan":"5.*","versionType":"semver","status":"affected"},{"version":"6.0","lessThan":"6.*","versionType":"semver","status":"affected"},{"version":"7.0","lessThan":"7.*","versionType":"semver","status":"affected"},{"version":"8.0","lessThan":"8.*","versionType":"semver","status":"affected"},{"version":"9.0","lessThan":"9.*","versionType":"semver","status":"affected"},{"version":"10.0","lessThan":"10.*","versionType":"semver","status":"affected"},{"version":"11.0","lessThan":"11.*","versionType":"semver","status":"affected"},{"version":"12.0","lessThan":"12.*","versionType":"semver","status":"affected"},{"version":"13.0","lessThan":"13.*","versionType":"semver","status":"affected"},{"version":"14.0","lessThan":"14.*","versionType":"semver","status":"affected"},{"version":"15.0","lessThan":"15.*","versionType":"semver","status":"affected"},{"version":"16.0","lessThan":"16.*","versionType":"semver","status":"affected"},{"version":"17.0","lessThan":"17.*","versionType":"semver","status":"affected"},{"version":"18.0","lessThan":"18.*","versionType":"semver","status":"affected"},{"version":"19.0","lessThan":"19.*","versionType":"semver","status":"affected"}]}]


CVE Modified by CISA-ADP 3/31/2026 11:16:11 AM

Action Type Old Value New Value
Added CWE
CWE-770


New CVE Received from HackerOne 3/30/2026 4:16:18 PM

Action Type Old Value New Value
Added Description
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.

When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.

* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**


Added CVSS V3
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


Added Reference
https://nodejs.org/en/blog/vulnerability/march-2026-security-releases


Quick Info

CVE Dictionary Entry:
CVE-2026-21710
NVD Published Date:
03/30/2026
NVD Last Modified:
06/29/2026
Source:
HackerOne