{
  "threat_severity" : "Important",
  "public_date" : "2026-03-30T19:07:28Z",
  "bugzilla" : {
    "description" : "Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header",
    "id" : "2453151",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2453151"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-843",
  "details" : [ "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**", "A flaw was found in Node.js. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request that includes a header named `__proto__`. When a Node.js application processes this request and attempts to access distinct headers, it encounters an unhandled error, leading to an application crash. This can result in a Denial of Service (DoS), making the affected service unavailable to users." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-04-08T00:00:00Z",
    "advisory" : "RHSA-2026:7080",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "nodejs22-1:22.22.2-1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-04-13T00:00:00Z",
    "advisory" : "RHSA-2026:7675",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "nodejs24-1:24.14.1-2.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-04-09T00:00:00Z",
    "advisory" : "RHSA-2026:7310",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "nodejs22-1:22.22.2-2.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-04-08T00:00:00Z",
    "advisory" : "RHSA-2026:7123",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:22-8100020260331102257.6d880403"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-04-13T00:00:00Z",
    "advisory" : "RHSA-2026:7670",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:24-8100020260408131901.6d880403"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-04-15T00:00:00Z",
    "advisory" : "RHSA-2026:8339",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:20-8100020260414073138.489197e6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-04-09T00:00:00Z",
    "advisory" : "RHSA-2026:7302",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs:22-9070020260401095228.rhel9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-04-09T00:00:00Z",
    "advisory" : "RHSA-2026:7350",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs:24-9070020260402152654.rhel9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-04-13T00:00:00Z",
    "advisory" : "RHSA-2026:7896",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs:20-9070020260409073121.rhel9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-04-22T00:00:00Z",
    "advisory" : "RHSA-2026:9711",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "nodejs:20-9040020260421133644.rhel9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-04-14T00:00:00Z",
    "advisory" : "RHSA-2026:7983",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "nodejs:22-9060020260409121057.rhel9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-04-22T00:00:00Z",
    "advisory" : "RHSA-2026:9874",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "nodejs:20-9060020260422064119.rhel9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-21710\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21710\nhttps://nodejs.org/en/blog/vulnerability/march-2026-security-releases" ],
  "name" : "CVE-2026-21710",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}