CVE-2026-21714

Name of the Vulnerable Software and Affected Versions Node.js versions 20 through 25

Description A memory leak can occur in Node.js HTTP/2 servers when a client sends WINDOW UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server sends a GOAWAY frame, but the Http2Session object is not properly cleaned up. The WINDOW UPDATE frames are related to the HTTP/2 protocol's flow control mechanism, which manages the amount of data a sender can transmit before receiving acknowledgment from the receiver. Exceeding the maximum flow control window value can lead to resource exhaustion and potentially denial-of-service conditions.

Recommendations Update to a newer version of Node.js that contains a fix for this vulnerability.