Description
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.

When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.

* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
Published: 2026-03-30
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service due to crash from __proto__ header
Action: Patch Immediately
AI Analysis

Impact

A flaw in Node.js HTTP request handling results in an uncaught TypeError when a request containing the header __proto__ is processed and the application reads req.headersDistinct. The exception occurs synchronously within a property getter and cannot be caught by standard error handlers, leading to an unpredictable crash of the Node.js process. This failure causes a denial of service in affected applications.

Affected Systems

The vulnerability affects all Node.js HTTP servers running on the 20.x, 22.x, 24.x, and v25.x branches. In production environments, any application that relies on the default HTTP module and accesses request headers via req.headersDistinct is susceptible.

Risk and Exploitability

The CVSS score of 7.5 indicates medium to high severity, while the EPSS score of less than 1% suggests that exploitation is unlikely to be widely automated. The flaw is not listed in the CISA KEV catalog. Attackers can trigger the crash by sending a crafted HTTP request over the network to a vulnerable Node.js server; the vector is inferred from the HTTP header manipulation.

Generated by OpenCVE AI on April 1, 2026 at 05:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Node.js release that includes the March 2026 security fix (e.g., continue patch series 20.x, 22.x, 24.x, or v25.x).
  • If immediate upgrade cannot be performed, wrap all accesses to req.headersDistinct in try/catch blocks to avoid unhandled exceptions.
  • Validate incoming request headers to reject or sanitize __proto__ headers before processing.
  • Monitor application logs for uncaught TypeError exceptions and ensure the service restarts gracefully.

Generated by OpenCVE AI on April 1, 2026 at 05:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6183-1 nodejs security update
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Unhandled TypeError from __proto__ Header in Node.js HTTP Request Handling Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header
First Time appeared Nodejs
Nodejs nodejs
Weaknesses CWE-20 CWE-843
Vendors & Products Nodejs
Nodejs nodejs
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Unhandled TypeError from __proto__ Header in Node.js HTTP Request Handling
Weaknesses CWE-20

Mon, 30 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
References
Metrics cvssV3_0

{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Nodejs Nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-03-31T13:55:23.719Z

Reserved: 2026-01-04T15:00:06.574Z

Link: CVE-2026-21710

cve-icon Vulnrichment

Updated: 2026-03-31T13:55:13.442Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T20:16:18.210

Modified: 2026-04-01T14:24:21.833

Link: CVE-2026-21710

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-30T19:07:28Z

Links: CVE-2026-21710 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:54:00Z

Weaknesses