A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named __proto__ and the application accesses req.headersDistinct. When this occurs, dest["__proto__"] resolves to Object.prototype rather than undefined, causing .push() to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by error event listeners, meaning it cannot be handled without wrapping every req.headersDistinct access in a try/catch. * This vulnerability affects all Node.js HTTP servers on 20.x, 22.x, 24.x, and v25.x
18.13.0+dfsg1-1ubuntu218.19.1+dfsg-2ubuntu418.19.1+dfsg-6ubuntu118.19.1+dfsg-6ubuntu218.19.1+dfsg-6ubuntu520.18.1+dfsg-1ubuntu220.19.2+dfsg-120.19.4+dfsg-10.10.15~dfsg1-40.10.21~dfsg1-10.10.22~dfsg1-20.10.23~dfsg1-10.10.23~dfsg1-20.10.23~dfsg1-30.10.24~dfsg1-10.10.25~dfsg2-20.10.25~dfsg2-2ubuntu10.10.25~dfsg2-2ubuntu1.2+2 more0.10.25~dfsg2-2ubuntu14.2.2~dfsg-14.2.3~dfsg-14.2.4~dfsg-1ubuntu14.2.4~dfsg-24.2.6~dfsg-1ubuntu14.2.6~dfsg-1ubuntu44.2.6~dfsg-1ubuntu4.14.2.6~dfsg-1ubuntu4.24.2.6~dfsg-1ubuntu4.2+esm1+2 more6.11.4~dfsg-1ubuntu16.11.4~dfsg-1ubuntu26.12.0~dfsg-1ubuntu16.12.0~dfsg-2ubuntu16.12.0~dfsg-2ubuntu28.10.0~dfsg-28.10.0~dfsg-2ubuntu0.28.10.0~dfsg-2ubuntu0.38.10.0~dfsg-2ubuntu0.48.10.0~dfsg-2ubuntu0.4+esm1+5 more10.15.2~dfsg-2ubuntu110.17.0~dfsg-2ubuntu410.17.0~dfsg-2ubuntu610.19.0~dfsg-3ubuntu110.19.0~dfsg-3ubuntu1.110.19.0~dfsg-3ubuntu1.210.19.0~dfsg-3ubuntu1.310.19.0~dfsg-3ubuntu1.510.19.0~dfsg-3ubuntu1.610.19.0~dfsg-3ubuntu1.6+esm212.22.5~dfsg-5ubuntu112.22.7~dfsg-2ubuntu112.22.7~dfsg-2ubuntu312.22.9~dfsg-1ubuntu212.22.9~dfsg-1ubuntu312.22.9~dfsg-1ubuntu3.112.22.9~dfsg-1ubuntu3.212.22.9~dfsg-1ubuntu3.312.22.9~dfsg-1ubuntu3.412.22.9~dfsg-1ubuntu3.5+2 moreExploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:NI:NA:HCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H