CVE-2026-21710

Name of the Vulnerable Software and Affected Versions Node.js versions 20.x, 22.x, 24.x and v25.x

Description A flaw in Node.js HTTP request handling results in an uncaught TypeError when a request includes a header named proto and the application accesses req.headersDistinct. Specifically, dest[" proto "] incorrectly resolves to Object.prototype instead of undefined, leading to a .push() operation on a non-array. This exception is thrown synchronously within a property getter and cannot be intercepted by standard error event listeners, requiring try/catch blocks around every access to req.headersDistinct for handling. The affected API endpoint involves HTTP request headers, with the vulnerable parameter being proto. The vulnerable function is req.headersDistinct.

Recommendations Node.js versions 20.x: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Node.js versions 22.x: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Node.js versions 24.x: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Node.js version v25.x: At the moment, there is no information about a newer version that contains a fix for this vulnerability.