{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21710", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-04T15:00:06.574Z", "datePublished": "2026-03-30T19:07:28.558Z", "dateUpdated": "2026-03-30T19:07:28.558Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\r\n\r\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\r\n\r\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**"}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "20.20.1", "status": "affected", "lessThanOrEqual": "20.20.1", "versionType": "semver"}, {"version": "22.22.1", "status": "affected", "lessThanOrEqual": "22.22.1", "versionType": "semver"}, {"version": "24.14.0", "status": "affected", "lessThanOrEqual": "24.14.0", "versionType": "semver"}, {"version": "25.8.1", "status": "affected", "lessThanOrEqual": "25.8.1", "versionType": "semver"}, {"version": "4.0", "status": "affected", "lessThan": "4.*", "versionType": "semver"}, {"version": "5.0", "status": "affected", "lessThan": "5.*", "versionType": "semver"}, {"version": "6.0", "status": "affected", "lessThan": "6.*", "versionType": "semver"}, {"version": "7.0", "status": "affected", "lessThan": "7.*", "versionType": "semver"}, {"version": "8.0", "status": "affected", "lessThan": "8.*", "versionType": "semver"}, {"version": "9.0", "status": "affected", "lessThan": "9.*", "versionType": "semver"}, {"version": "10.0", "status": "affected", "lessThan": "10.*", "versionType": "semver"}, {"version": "11.0", "status": "affected", "lessThan": "11.*", "versionType": "semver"}, {"version": "12.0", "status": "affected", "lessThan": "12.*", "versionType": "semver"}, {"version": "13.0", "status": "affected", "lessThan": "13.*", "versionType": "semver"}, {"version": "14.0", "status": "affected", "lessThan": "14.*", "versionType": "semver"}, {"version": "15.0", "status": "affected", "lessThan": "15.*", "versionType": "semver"}, {"version": "16.0", "status": "affected", "lessThan": "16.*", "versionType": "semver"}, {"version": "17.0", "status": "affected", "lessThan": "17.*", "versionType": "semver"}, {"version": "18.0", "status": "affected", "lessThan": "18.*", "versionType": "semver"}, {"version": "19.0", "status": "affected", "lessThan": "19.*", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.558Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\r\n\r\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\r\n\r\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**"}], "id": "CVE-2026-21710", "lastModified": "2026-03-30T20:16:18.210", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-03-30T20:16:18.210", "references": [{"source": "support@hackerone.com", "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-30T20:21:26.069434+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading to the latest Node.js 20.x, 22.x, 24.x, or v25.x release that resolves the __proto__ header bug.", "If an immediate upgrade is not possible, modify application code to avoid accessing req.headersDistinct, or wrap all such accesses in try/catch blocks to prevent the crash.", "Configure firewalls or use middleware to detect and reject HTTP requests that contain the __proto__ header until a patch can be applied."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Node.js HTTP servers running versions 20.x, 22.x, 24.x, and v25.x are affected. The flaw appears in the core HTTP module, so any application that uses Node.js\u2019s built\u2011in HTTP handling is vulnerable.", "description_and_impact": "Node.js HTTP servers crash when a request contains a header named __proto__ and the application accesses req.headersDistinct. The request handling resolves dest[\"__proto__\"] to Object.prototype, causing a .push() call on a non\u2011array. This synchronous TypeError bubbles out of a property getter and cannot be caught by the event system, forcing the server to terminate and denying service.", "risk_and_exploitability": "With a CVSS score of 7.5 the vulnerability is considered high severity. Although EPSS data is not available and the flaw is not listed in CISA's KEV catalog, the exploit path is trivial: send an HTTP request bearing the __proto__ header. Because the error cannot be intercepted, the crash is assured, making exploitation extremely likely and widespread if a Node.js server is exposed to public traffic. The impact is purely a denial of service with no direct compromise of data confidentiality or integrity."}}}}, "created": "2026-03-30T20:55:09.300836+00:00", "title": "Unhandled TypeError from __proto__ Header in Node.js HTTP Request Handling", "updated": "2026-03-30T20:55:09.300877+00:00", "vendors": [], "weaknesses": ["CWE-20"]}