Yushengchen

**Name of the Vulnerable Software and Affected Versions** Node.js versions 20.x, 22.x, 24.x and v25.x **Description** A flaw in Node.js HTTP request handling results in an uncaught `TypeError` when a request includes a header named ` proto ` and the application accesses `req.headersDistinct`. Specifically, `dest[" proto "]` incorrectly resolves to `Object.prototype` instead of `undefined`, leading to a `.push()` operation on a non-array. This exception is thrown synchronously within a property getter and cannot be intercepted by standard `error` event listeners, requiring `try/catch` blocks around every access to `req.headersDistinct` for handling. The affected API endpoint involves HTTP request headers, with the vulnerable parameter being ` proto `. The vulnerable function is `req.headersDistinct`. **Recommendations** Node.js versions 20.x: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Node.js versions 22.x: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Node.js versions 24.x: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Node.js version v25.x: At the moment, there is no information about a newer version that contains a fix for this vulnerability.