The flaw exists in Node.js HTTP Agent where a client can accept a server response before it has sent its own request, resulting in the client handling responses out of order and potentially causing logic errors or denial of service if the application misinterprets the state. The weakness corresponds to CWE-367, reflecting improper policy enforcement during the request lifecycle. Based on the description, the likely attack vector is a network‑based scenario where an attacker can send a premature response to the client.

The vulnerability applies to all supported Node.js release lines, specifically Node.js 22, 24, and 26. Users of these versions should verify their installation and plan for an update. Based on the description, the likely attack vector is network‑based, as the vulnerability centers on the behavior of the HTTP Agent during request processing.

The CVSS score is 3.7, indicating low severity, and the vulnerability is not listed in CISA KEV, suggesting no public exploitation has been reported yet. The flaw allows a client to process a premature response, which could be leveraged in environments where HTTP traffic is exposed, but specific exploitation conditions are not detailed in the advisory. Until an official patch is released, the risk remains low but should be mitigated promptly to avoid potential logic errors. Based on the description, the likely attack vector is network‑based, as the vulnerability involves the handling of upstream responses.