Description
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.

Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.

This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
Published: 2026-03-30
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Timing oracle leading to possible HMAC exposure
Action: Apply Patch
AI Analysis

Impact

A flaw in Node.js validates user‑provided HMAC signatures with a non‑constant‑time comparison, leaking timing information proportional to matching bytes. This side‑channel can be exploited by an attacker with high‑resolution timing measurements to infer the correct HMAC value, potentially compromising authentication or message integrity. The weakness aligns with a timing side‑channel definition.

Affected Systems

Node.js releases 20.x, 22.x, 24.x, and 25.x contain the vulnerable comparison logic and are impacted by this flaw.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. Because no EPSS score or KEV listing is present, the probability of real‑world exploitation remains uncertain, though timing attacks are feasible when an attacker can observe repeated verification requests. The vulnerability does not directly expose secrets, but it can be a stepping‑stone for more destructive attacks if combined with other weaknesses.

Generated by OpenCVE AI on March 30, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Node.js to the latest patch release for the affected series, which replaces the insecure comparison with a constant‑time primitive.
  • If an immediate upgrade is not possible, modify the verification code to use Node.js’s `crypto.timingSafeEqual` function for HMAC comparison.
  • Validate that the updated Node.js rebuilds the affected modules and passes security tests or scans.
  • Keep monitoring Node.js security advisories for further updates or guidance.

Generated by OpenCVE AI on March 30, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6183-1 nodejs security update
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Timing Side‑Channel in Node.js HMAC Verification Node.js: Node.js: Information disclosure via timing oracle in HMAC verification
First Time appeared Nodejs
Nodejs nodejs
Weaknesses CWE-208
Vendors & Products Nodejs
Nodejs nodejs
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Timing Side‑Channel in Node.js HMAC Verification
Weaknesses CWE-203

Mon, 30 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
References
Metrics cvssV3_0

{'score': 5.9, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Nodejs Nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-03-30T19:45:22.905Z

Reserved: 2026-01-04T15:00:06.574Z

Link: CVE-2026-21713

cve-icon Vulnrichment

Updated: 2026-03-30T19:45:19.620Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T20:16:19.397

Modified: 2026-04-01T14:24:21.833

Link: CVE-2026-21713

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-30T19:07:28Z

Links: CVE-2026-21713 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:40:26Z

Weaknesses