FIND-20260404-026 · 2026-04-04 · Innovation Veille

Node.js 22.22.2 LTS Security Release: CVE-2026-21637 (TLS DoS HIGH), CVE-2026-21710 (Proto Header DoS HIGH)

cve HIGH
Node.js March 24, 2026 security release patches 7 CVEs across all active release lines (20.x, 22.x, 24.x, 25.x). Key HIGH-severity issues: CVE-2026-21637 — uncaught exception in SNICallback crashes TLS servers; CVE-2026-21710 — __proto__ header triggers uncaught TypeError crashing HTTP servers; CVE-2026-21711 — Permission Model bypass via Unix Domain Sockets; CVE-2026-21714 — Http2Session resource exhaustion via malicious WINDOW_UPDATE frames. Fixed in Node.js 22.22.2 (LTS Jod) and 24.14.1 (LTS Krypton). ODS last-versions.json shows nodejs-lts: 22.22.2 — already at latest secure version. Bundled OpenSSL upgraded to 3.5.2.

Source

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

ODS Impact

ODS uses Node.js 22 LTS (Jod line) for notification-hub, ods-dashboard, and other JS/TS services. CVE-2026-21637 and CVE-2026-21710 could crash production HTTP/TLS servers if not patched. ODS appears to be on 22.22.2 already per last-versions.json. Verify runtime node version on srv-staging with: node --version. Also verify Dockerfiles pin to node:22.22.2-alpine or later.

Security Review

License: N/A (Node.js runtime vulnerability) | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

nodejs cve security-release tls http dos lts-22
Generated by ODS Innovation Veille · 2026-04-04T19:53:16+00:00