Description
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
Published: 2026-01-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

A flaw in Node.js TLS error handling permits remote attackers to crash or exhaust resources of a TLS server when PSK or ALPN callbacks are active. Synchronous exceptions thrown during these callbacks bypass the standard TLS error paths, causing immediate process termination or silent file descriptor leaks that progress to denial of service. The weakness originates from unchecked return values and improper error handling, exposing the server to denial of service through attacker‑controlled TLS handshake input.

Affected Systems

Any deployment of Node.js that employs PSK or ALPN callback functions within its TLS server is vulnerable. The impact applies across all Node.js versions where these callbacks are not safely wrapped, as no specific version boundaries are listed. Systems that expose TLS services and rely on user‑supplied callbacks during the handshake are at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating high severity, but the EPSS score is below 1 %, suggesting low exploitation probability at present. It is not catalogued in the CISA KEV list. The likely attack vector is a remote TLS client that requests a session using PSK or ALPN, delivering crafted input to trigger a callback exception. When triggered, the server either terminates or leaks file descriptors, leading to resource exhaustion and denial of service. No special privileges or local access are required to exploit the flaw.

Generated by OpenCVE AI on April 18, 2026 at 04:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Node.js release that fixes the TLS error handling flaw, as documented in the Node.js December 2025 vulnerability advisory.
  • If an update is not immediately possible, remove or disable PSK and ALPN callback functions from your TLS server implementation, preventing the exception paths that lead to crashes or leaks.
  • Configure your TLS server to enforce stricter timeout and resource limits on connections, and monitor for unexpected file descriptor consumption or sudden process termination.

Generated by OpenCVE AI on April 18, 2026 at 04:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6166-1 nodejs security update
Debian DSA Debian DSA DSA-6183-1 nodejs security update
History

Fri, 30 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs node.js
CPEs cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Vendors & Products Nodejs node.js
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 21 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
Title nodejs: Nodejs denial of service
Weaknesses CWE-248
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 21 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs nodejs
Vendors & Products Nodejs
Nodejs nodejs

Tue, 20 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
Description A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
References
Metrics cvssV3_0

{'score': 5.9, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Nodejs Node.js Nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-01-21T20:22:51.033Z

Reserved: 2026-01-01T15:00:02.339Z

Link: CVE-2026-21637

cve-icon Vulnrichment

Updated: 2026-01-21T20:22:42.356Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T21:16:05.950

Modified: 2026-01-30T20:18:32.377

Link: CVE-2026-21637

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-20T20:41:55Z

Links: CVE-2026-21637 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:45:36Z

Weaknesses