Main Vulnerability Database Vulnerabilities #VU124541

#VU124541 Path manipulation in Node.js - CVE-2026-21637

Published: March 25, 2026 / Updated: April 17, 2026

Vulnerability identifier: #VU124541

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-21637

CWE-ID: CWE-249

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Node.js

Software vendor:
Node.js Foundation

Description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper error handling in _tls_wrap.js when processing TLS SNI handshake requests. A remote attacker can send a specially crafted request with unexpected servername input to cause an uncaught exception, crashing the Node.js process.

Exploitation occurs during TLS handshake when SNICallback is configured and throws synchronously.

Remediation

Install security update from vendor's website.

External links

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

#VU124541 Path manipulation in Node.js - CVE-2026-21637

Description

Remediation

External links

Please verify you're human