Main Vulnerability Database Vulnerabilities #VU124541

Path manipulation in Node.js - CVE-2026-21637

Published: March 25, 2026 / Updated: April 17, 2026

Vulnerability identifier: #VU124541

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-21637

CWE-ID: CWE-249

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Node.js Foundation

Affected software:
Node.js

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper error handling in _tls_wrap.js when processing TLS SNI handshake requests. A remote attacker can send a specially crafted request with unexpected servername input to cause an uncaught exception, crashing the Node.js process.

Exploitation occurs during TLS handshake when SNICallback is configured and throws synchronously.

How to mitigate CVE-2026-21637

Install security update from vendor's website.

Sources

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

Path manipulation in Node.js - CVE-2026-21637

Detailed vulnerability description

How to mitigate CVE-2026-21637

Sources

Please verify you're human