CVE-2026-21713

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Node.js versions 20.x through 25.x

Description A flaw exists in Node.js HMAC verification where a non-constant-time comparison is used when validating signatures provided by a user. This could potentially leak timing information proportional to the number of matching bytes. Under specific threat models where high-resolution timing measurements are possible, this behavior may be exploited as a timing oracle to infer HMAC values. Node.js already includes timing-safe comparison primitives used in other parts of the codebase, suggesting this is an oversight rather than an intentional design choice. The issue involves the HMAC verification process and the potential for an attacker to infer values through timing attacks.

Recommendations Update to a newer version of Node.js that addresses this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-208CWE-697

Related Identifiers

ALSA-2026:7350

ALSA-2026:7670

ALSA-2026:7675

BDU:2026-04835

BIT-NODE-2026-21713

BIT-NODE-MIN-2026-21713

CVE-2026-21713

MGASA-2026-0071

OESA-2026-1951

OESA-2026-1952

OESA-2026-1953

OESA-2026-1954

OPENSUSE-SU-2026:10504-1

OPENSUSE-SU-2026:20519-1

RHSA-2026:7350

RHSA-2026:7670

RHSA-2026:7675

SUSE-SU-2026:1299-1

SUSE-SU-2026:1363-1

SUSE-SU-2026:1371-1

SUSE-SU-2026:1478-1

SUSE-SU-2026:1509-1

SUSE-SU-2026:21181-1

Affected Products

Node.Js

Rocky Linux

CVE-2026-21713

Weakness Enumeration

Related Identifiers

Affected Products

References · 122