VDB
DEBIAN-CVE-2026-21710
DEBIAN-CVE-2026-21710
PUBLISHED
CVSS 7.5 HIGH
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
Risk Scores
CVSS v3.0
7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | nodejs | 0, 20.19.4+dfsg-1, 20.19.5+dfsg+~cs20.19.12-1 |
| Debian:13 | nodejs | 0, 20.19.2+dfsg-1+deb13u1, 0 |
| Debian:12 | nodejs | 18.13.0+dfsg1-1, 18.13.0+dfsg1-1.1, 18.19.0+dfsg-1 |
| Debian:11 | nodejs | 12.22.12, 12.22.12, 12.22.12 |
Timeline
- Mar 30, 2026 CVE Published
- May 14, 2026 CVE Updated