UBUNTU-CVE-2026-21710 | Mondoo Vulnerability Intelligence

UBUNTU-CVE-2026-21710

HIGH7.5

A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs,

Published Mar 30, 2026

Modified 4 days ago

Details

A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named __proto__ and the application accesses req.headersDistinct. When this occurs, dest["__proto__"] resolves to Object.prototype rather than undefined, causing .push() to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by error event listeners, meaning it cannot be handled without wrapping every req.headersDistinct access in a try/catch. * This vulnerability affects all Node.js HTTP servers on 20.x, 22.x, 24.x, and v25.x

Affected Packages

nodejs

Ubuntu 24.04 LTS

Affected versions:

18.13.0+dfsg1-1ubuntu218.19.1+dfsg-2ubuntu418.19.1+dfsg-6ubuntu118.19.1+dfsg-6ubuntu218.19.1+dfsg-6ubuntu5

nodejs

Ubuntu 25.10

Affected versions:

20.18.1+dfsg-1ubuntu220.19.2+dfsg-120.19.4+dfsg-1

nodejs

Ubuntu 26.04

Affected versions:

20.19.4+dfsg-120.19.5+dfsg+~cs20.19.12-422.21.1+dfsg+~cs22.19.0-6ubuntu422.22.0+dfsg+~cs22.19.13-2ubuntu122.22.0+dfsg+~cs22.19.6-1ubuntu222.22.1+dfsg+~cs22.19.15-1ubuntu1

nodejs

Ubuntu Pro 14.04 LTS

Affected versions:

0.10.15~dfsg1-40.10.21~dfsg1-10.10.22~dfsg1-20.10.23~dfsg1-10.10.23~dfsg1-20.10.23~dfsg1-30.10.24~dfsg1-10.10.25~dfsg2-20.10.25~dfsg2-2ubuntu10.10.25~dfsg2-2ubuntu1.2+2 more

nodejs

Ubuntu Pro 16.04 LTS

Affected versions:

0.10.25~dfsg2-2ubuntu14.2.2~dfsg-14.2.3~dfsg-14.2.4~dfsg-1ubuntu14.2.4~dfsg-24.2.6~dfsg-1ubuntu14.2.6~dfsg-1ubuntu44.2.6~dfsg-1ubuntu4.14.2.6~dfsg-1ubuntu4.24.2.6~dfsg-1ubuntu4.2+esm1+2 more

nodejs

Ubuntu Pro 18.04 LTS

Affected versions:

6.11.4~dfsg-1ubuntu16.11.4~dfsg-1ubuntu26.12.0~dfsg-1ubuntu16.12.0~dfsg-2ubuntu16.12.0~dfsg-2ubuntu28.10.0~dfsg-28.10.0~dfsg-2ubuntu0.28.10.0~dfsg-2ubuntu0.38.10.0~dfsg-2ubuntu0.48.10.0~dfsg-2ubuntu0.4+esm1+5 more

nodejs

Ubuntu Pro 20.04 LTS

Affected versions:

10.15.2~dfsg-2ubuntu110.17.0~dfsg-2ubuntu410.17.0~dfsg-2ubuntu610.19.0~dfsg-3ubuntu110.19.0~dfsg-3ubuntu1.110.19.0~dfsg-3ubuntu1.210.19.0~dfsg-3ubuntu1.310.19.0~dfsg-3ubuntu1.510.19.0~dfsg-3ubuntu1.610.19.0~dfsg-3ubuntu1.6+esm2

nodejs

Ubuntu Pro 22.04 LTS

Affected versions:

12.22.5~dfsg-5ubuntu112.22.7~dfsg-2ubuntu112.22.7~dfsg-2ubuntu312.22.9~dfsg-1ubuntu212.22.9~dfsg-1ubuntu312.22.9~dfsg-1ubuntu3.112.22.9~dfsg-1ubuntu3.212.22.9~dfsg-1ubuntu3.312.22.9~dfsg-1ubuntu3.412.22.9~dfsg-1ubuntu3.5+2 more

References

REPORT

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases#denial-of-service-via-__proto__-header-name-in-reqheadersdistinct-uncaught-typeerror-crashes-nodejs-process-cve-2026-21710---high

REPORT

https://ubuntu.com/security/CVE-2026-21710

REPORT

https://www.cve.org/CVERecord?id=CVE-2026-21710

CVSS Analysis

CVSS v3.0

Exploitability

Attack Vector

NetworkAV:N