CVE-2026-21710

Description

A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**

Affected packages (4)

• Alpine/nodejsfrom 0, < 22.22.2-r0
• Bitnami/nodefrom 0, < 20.20.2, >= 21.0.0, < 22.22.2, >= 23.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
• Bitnami/node-minfrom 0, < 20.20.2, >= 21.0.0, < 22.22.2, >= 23.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
• Debian/nodejsfrom 0, < 18.20.4+dfsg-1~deb12u2

CVSS scores

References (4)

• ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2026-21710
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-21710
• WEBhttps://nodejs.org/en/blog/vulnerability/march-2026-security-releases
• WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-21710