FIND-20260331-002 · 2026-03-31 · Innovation Veille

Node.js March 2026 security releases — 2 HIGH severity CVEs patched

cve HIGH
Node.js released security updates on 2026-03-24 for all active release lines (v20.20.2, v22.22.2, v24.14.1, v25.8.2). Two HIGH severity vulnerabilities patched: CVE-2026-21637 (SNICallback crashes process via unhandled sync exception during TLS) and CVE-2026-21710 (DoS via __proto__ header name in req.headersDistinct). Five MEDIUM CVEs also patched including a timing side-channel in HMAC (CVE-2026-21713) and HTTP/2 memory leak (CVE-2026-21714).

Source

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

ODS Impact

ODS services using Node.js (ods-dashboard Hono API, any Node-based tooling) must update. CVE-2026-21637 and CVE-2026-21710 can crash the process remotely. Update to v22.22.2 (LTS) or v20.20.2 immediately. Check package.json engine fields.

Security Review

License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: USE_WITH_CAUTION

Tags

nodejs cve security dos tls http2 high-severity
Generated by ODS Innovation Veille · 2026-03-31T07:05:59+00:00