nodejs nodejs Evented IO for v8 JavaScript

  1. Vendors
  2. nodejs

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any nodejs product.

RSS Feeds for nodejs security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in nodejs products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by nodejs Sorted by Most Security Vulnerabilities since 2018

nodejs node.js148 vulnerabilities

nodejs Undici16 vulnerabilities

nodejs9 vulnerabilities

nodejs Elliptic1 vulnerability

Recent nodejs Security Advisories

Advisory Title Published
march-2026-hashdos Developing a minimally HashDoS resistant, yet quickly reversible integer hash for V8 March 24, 2026
2026-03-17 Tuesday, March 24, 2026 Security Releases March 17, 2026
2026-01-28 OpenSSL Security Advisory Assessment, January 2026 January 28, 2026
2026-01-13 Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users January 13, 2026
2025-12-08 Monday, December 15, 2025 Security Releases December 8, 2025
2025-07-08 Tuesday, July 15, 2025 Security Releases July 8, 2025
2025-05-08 Wednesday, May 14, 2025 Security Releases May 8, 2025
2025-03-31 Node.js Test CI Security Incident March 31, 2025
2025-03-07 Updates on CVE for End-of-Life Versions March 7, 2025
2025-01-14 Tuesday, January 21, 2025 Security Releases January 14, 2025

By the Year

In 2026 there have been 19 vulnerabilities in nodejs with an average score of 6.4 out of ten. Last year, in 2025 nodejs had 6 security vulnerabilities published. That is, 13 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 3.33.




Year Vulnerabilities Average Score
2026 19 6.43
2025 6 3.10
2024 23 6.48
2023 24 6.98
2022 28 7.24
2021 27 7.41
2020 15 8.09
2019 14 5.77
2018 20 6.83

It may take a day or so for new nodejs vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent nodejs Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-21710 Mar 30, 2026
Node.js HTTP __proto__ Header Injection Causing Uncaught TypeError A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
CVE-2026-21715 Mar 30, 2026
Node.js Permission Model Bypass via fs.realpathSync.native() A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.
CVE-2026-21711 Mar 30, 2026
Node.js 25.x Permission Model Bypass Exploiting UDS A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary. This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.
CVE-2026-21716 Mar 30, 2026
Node.js FileHandle Promise API Bypass in PermissionModel An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.
CVE-2026-21714 Mar 30, 2026
Node.js HTTP/2 Memory Leak via WINDOW_UPDATE Overflow A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.
CVE-2026-21713 Mar 30, 2026
Node.js HMAC Timing Oracle Exploit (CVE-2026-21713) A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
CVE-2026-21717 Mar 30, 2026
V8 String Hash Collision DoS in Node.js via JSON.parse A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
CVE-2026-21712 Mar 30, 2026
Node.js URL.format() Crash via Malformed IDN A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.
CVE-2026-2229 Mar 12, 2026
Undici <7.24.0: Invalid permessage-deflate server_max_window_bits Causes DoS ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination. The vulnerability exists because: * The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15 * The createInflateRaw() call is not wrapped in a try-catch block * The resulting exception propagates up through the call stack and crashes the Node.js process
Undici
CVE-2026-2581 Mar 12, 2026
Undici deduplication interceptor memory OOM | 7.23 This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination. Impacted users are applications that use Undicis deduplication interceptor against endpoints that may produce large or long-lived response bodies. PatchesThe issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started. Users should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch.
Undici
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.