wid-sec-w-2026-0843 · Published 2026-03-24 · View on BSI CERT-Bund ↗

Node.js: Multiple Vulnerabilities

CVSS 7.5 HIGH

Risk Summary

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.

CVEs (10)

CVE-2024-36137 CVE-2026-21637 CVE-2026-21710 CVE-2026-21711 CVE-2026-21712 CVE-2026-21713 CVE-2026-21714 CVE-2026-21715 CVE-2026-21716 CVE-2026-21717

Affected Vendors

Debian Open Source Oracle RESF Red Hat SUSE

Affected Products (8)

Open Source · Node.js <20.20.2

Open Source · Node.js 20.20.2

Open Source · Node.js <22.22.2

Open Source · Node.js 22.22.2

Open Source · Node.js <24.14.1

Open Source · Node.js 24.14.1

Open Source · Node.js <25.8.2

Open Source · Node.js 25.8.2

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more