FIND-20260403-002 · 2026-04-03 · Innovation Veille

Node.js March 2026 Security Releases — 9 CVEs Fixed (2 High Severity)

cve HIGH
Node.js released security updates on March 24, 2026 for all active lines (v20.20.2, v22.22.2, v24.14.1, v25.8.2) addressing 9 CVEs. Two are High severity: CVE-2026-21637 (TLS SNICallback DoS via uncaught exception) and CVE-2026-21710 (DoS via __proto__ header in req.headersDistinct). Medium-severity issues include HMAC timing side-channel (CVE-2026-21713), HTTP/2 memory leak (CVE-2026-21714), and V8 HashDoS (CVE-2026-21717). ODS currently tracks Node.js LTS 22.22.2 and Current 25.9.0, both of which incorporate these fixes.

Source

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

ODS Impact

ODS uses Node.js 22.x LTS for the ODS Dashboard (Next.js/Hono). CVE-2026-21710 (__proto__ header DoS) is particularly relevant for any HTTP service that accesses req.headersDistinct. Node.js 22.22.2 already incorporates these patches — confirm this version is deployed on srv-staging. The HMAC timing side-channel (CVE-2026-21713) affects all crypto.createHmac users.

Security Review

License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

nodejs cve security dos tls http hmac
Generated by ODS Innovation Veille · 2026-04-03T07:05:53+00:00