CVE-2026-21710

Description

A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**

How to fix CVE-2026-21710

To remediate CVE-2026-21710, upgrade the affected package to a fixed version below.

• —upgrade to 22.22.2-r0 or later
• —upgrade to 20.20.2 or later
• —upgrade to 20.20.2 or later
• —upgrade to 18.20.4+dfsg-1~deb12u2 or later

Is CVE-2026-21710 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 22.22.2-r0
• from 0, < 20.20.2, >= 21.0.0, < 22.22.2, >= 23.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
• from 0, < 20.20.2, >= 21.0.0, < 22.22.2, >= 23.0.0, < 24.14.1, >= 25.0.0, < 25.8.2
• from 0, < 18.20.4+dfsg-1~deb12u2

CVSS scores

References (4)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2026-21710
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-21710
• WEBnodejs.org/en/blog/vulnerability/march-2026-security-releases
• WEBnvd.nist.gov/vuln/detail/CVE-2026-21710