FIND-20260330-002 · 2026-03-30 · Innovation Veille

Node.js March 2026 security releases — 7–9 CVEs per line (all active LTS + current)

cve HIGH
Node.js released security patches on 2026-03-24 for all active lines (v20.x, v22.x, v24.x, v25.x). Key CVEs: CVE-2026-21637 (TLS loadSNI remote DoS — High), CVE-2026-21710 (HTTP __proto__ header uncaught TypeError — High), CVE-2026-21711 (permission model UDS bypass — Medium), CVE-2026-21712 (malformed URL crash — Medium), CVE-2026-21713 (HMAC timing side-channel — Medium), CVE-2026-21714 (HTTP/2 WINDOW_UPDATE memory leak — Medium). The undici HTTP client library was also patched (6.24.1 / 7.24.4). ODS services using Node.js (ods-dashboard Hono/Next.js) should upgrade their base images.

Source

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

ODS Impact

ODS Dashboard (Next.js 15 + Hono on Node.js) and any CI tooling using Node.js are affected. The HTTP/2 memory leak (CVE-2026-21714) is particularly relevant for long-running Hono API processes. Upgrade base Docker images to node:22-alpine (v22.22.2 or later). Check undici version in package.json.

Security Review

License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

nodejs cve security tls http2 undici ods-dashboard patch-required
Generated by ODS Innovation Veille · 2026-03-30T07:03:53+00:00