CVE-2026-21710
CVE-2026-21710
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.5EPSS 13.1%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
30 Mar 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
In short
A Node.js HTTP server crashes with an unhandled error when receiving a request with a header named `__proto__` if the application reads `req.headersDistinct`. This denial-of-service flaw cannot be caught by normal error handlers, forcing developers to add extra protection around header access.
Technical detail
The vulnerability exploits prototype pollution via HTTP header injection; when `__proto__` header is present and `req.headersDistinct` is accessed, the property getter resolves `dest["__proto__"]` to `Object.prototype` instead of undefined, causing a synchronous TypeError when `.push()` is called on the prototype object. This exception cannot be intercepted by error event listeners, enabling unauthenticated DoS against Node.js HTTP servers on versions 20.x, 22.x, 24.x, and 25.x.
Summary generated and translated by AI from the official description.
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.
When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.
* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H