CVE-2026-21713

Name of the Vulnerable Software and Affected Versions Node.js versions 20.x through 25.x

Description A flaw exists in Node.js HMAC verification where a non-constant-time comparison is used when validating signatures provided by a user. This could potentially leak timing information proportional to the number of matching bytes. Under specific threat models where high-resolution timing measurements are possible, this behavior may be exploited as a timing oracle to infer HMAC values. Node.js already includes timing-safe comparison primitives used in other parts of the codebase, suggesting this is an oversight rather than an intentional design choice. The issue involves the HMAC verification process and the potential for an attacker to infer values through timing attacks.

Recommendations Update to a newer version of Node.js that addresses this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.