Description
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.

When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.

* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
Published: 2026-03-30
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A flaw in Node.js HTTP request processing causes an uncaught TypeError when a client sends a header named __proto__. The faulty code resolves dest["__proto__"] to Object.prototype and attempts to call .push() on it, leading to a synchronous exception that cannot be caught by standard error handlers. This results in the Node.js process terminating, causing the application to crash and denying service to all users. The vulnerability stems from input validation weakness and improper handling of prototype properties.

Affected Systems

It impacts all Node.js HTTP servers running on versions 20.x, 22.x, 24.x, and v25.x. The affected product is Node.js, provided by the nodejs:node vendor.

Risk and Exploitability

The CVSS score of 7.5 classifies the issue as high severity, but the EPSS score of less than 1 percent indicates exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger it remotely by sending a crafted HTTP request containing the __proto__ header, resulting in a crash that would disrupt service availability.

Generated by OpenCVE AI on March 31, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Node.js security update released in March 2026 for affected versions 20.x, 22.x, 24.x, and v25.x.
  • Restart the Node.js application after upgrading to ensure the patch is in effect.
  • If the update cannot be applied immediately, block or remove the __proto__ header in inbound HTTP requests using a reverse proxy or firewall.
  • Review application code to eliminate or wrap accesses to req.headersDistinct so that errors are caught and do not crash the process.

Generated by OpenCVE AI on March 31, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6183-1 nodejs security update
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Unhandled TypeError from __proto__ Header in Node.js HTTP Request Handling Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header
First Time appeared Nodejs
Nodejs nodejs
Weaknesses CWE-20 CWE-843
Vendors & Products Nodejs
Nodejs nodejs
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Unhandled TypeError from __proto__ Header in Node.js HTTP Request Handling
Weaknesses CWE-20

Mon, 30 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
References
Metrics cvssV3_0

{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Nodejs Nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-03-31T13:55:23.719Z

Reserved: 2026-01-04T15:00:06.574Z

Link: CVE-2026-21710

cve-icon Vulnrichment

Updated: 2026-03-31T13:55:13.442Z

cve-icon NVD

Status : Received

Published: 2026-03-30T20:16:18.210

Modified: 2026-03-31T15:16:11.700

Link: CVE-2026-21710

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-30T19:07:28Z

Links: CVE-2026-21710 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:40:22Z

Weaknesses