FIND-20260327-003 · 2026-03-27 · Innovation Veille

Node.js March 2026 security releases — 9 CVEs across all active lines

cve HIGH
On March 24, 2026 the Node.js project released security patches for all active lines (v20.20.2, v22.22.2, v24.14.1, v25.8.2). Two HIGH severity CVEs affect all release lines: CVE-2026-21637 (Remote DoS via SNI callback crash in TLS) and CVE-2026-21710 (uncaught TypeError crash via __proto__ header name). Medium severity: CVE-2026-21713 (HMAC timing side-channel), CVE-2026-21714 (HTTP/2 memory leak via WINDOW_UPDATE), CVE-2026-21717 (V8 HashDoS). Low severity: CVE-2026-21715, CVE-2026-21716. Additionally, undici was updated to 6.24.1/7.24.4. Immediate upgrade of all Node.js runtimes required.

Source

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

ODS Impact

ODS services using Node.js (ODS Dashboard Next.js/Hono, any Node-based tooling) must upgrade to the patched versions. The TLS DoS (CVE-2026-21637) and HTTP/2 memory leak (CVE-2026-21714) are particularly relevant to always-on services. Update all Dockerfiles and package.json engine constraints to v22.22.2 LTS or v24.14.1 LTS. The HMAC timing side-channel (CVE-2026-21713) affects services doing HMAC verification in Node code.

Security Review

License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

node.js CVE security TLS HTTP2 HMAC DoS
Generated by ODS Innovation Veille · 2026-03-27T05:13:43+00:00