Fluid Attacks Database

Description

A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named __proto__ and the application accesses req.headersDistinct.

When this occurs, dest["__proto__"] resolves to Object.prototype rather than undefined, causing .push() to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by error event listeners, meaning it cannot be handled without wrapping every req.headersDistinct access in a try/catch.

This vulnerability affects all Node.js HTTP servers on 20.x, 22.x, 24.x, and v25.x

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	nodejs	=20.19.2+dfsg-1 \|\| =20.19.4+dfsg-1 \|\| =20.19.5+dfsg+~cs20.19.12-1 \|\| =20.19.5+dfsg+~cs20.19.12-2 \|\| =20.19.5+dfsg+~cs20.19.12-3 \|\| =20.19.5+dfsg+~cs20.19.12-4 \|\| =20.19.5+dfsg+~cs20.19.24-1 \|\| =22.12.0+dfsg-1 \|\| =22.12.0+dfsg-2 \|\| =22.12.0+dfsg-3 \|\| =22.14.0+dfsg-1 \|\| =22.18.0+dfsg+~cs22.17.2-1 \|\| =22.18.0+dfsg+~cs22.17.2-2 \|\| =22.18.0+dfsg-1 \|\| =22.19.0+dfsg+~cs22.18.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-2 \|\| =22.21.1+dfsg+~cs22.19.0-3 \|\| =22.21.1+dfsg+~cs22.19.0-4 \|\| =22.21.1+dfsg+~cs22.19.0-5 \|\| =22.21.1+dfsg+~cs22.19.0-6 \|\| =22.22.0+dfsg+~cs22.19.13-1 \|\| =22.22.0+dfsg+~cs22.19.13-2 \|\| =22.22.0+dfsg+~cs22.19.6-1 \|\| =22.22.1+dfsg+~cs22.19.15-1 \|\| >=0 <22.22.2+dfsg+~cs22.19.15-1	22.22.2+dfsg+~cs22.19.15-1
alpine v3.23	nodejs	=22.11.0-r0 \|\| =22.11.0-r1 \|\| =22.11.0-r2 \|\| =22.13.1-r0 \|\| =22.13.1-r1 \|\| =22.13.1-r2 \|\| =22.13.1-r3 \|\| =22.13.1-r4 \|\| =22.13.1-r5 \|\| =22.16.0-r0 \|\| =22.16.0-r1 \|\| =22.16.0-r2 \|\| =22.16.0-r3 \|\| =22.19.0-r3 \|\| =22.19.0-r4 \|\| =22.21.0-r0 \|\| =24.11.1-r0 \|\| =24.13.0-r0 \|\| =24.13.0-r1 \|\| >=0 <24.14.1-r0	24.14.1-r0
debian 12	nodejs	=18.13.0+dfsg1-1 \|\| =18.13.0+dfsg1-1.1 \|\| =18.19.0+dfsg-1 \|\| =18.19.0+dfsg-2 \|\| =18.19.0+dfsg-3 \|\| =18.19.0+dfsg-4 \|\| =18.19.0+dfsg-5 \|\| =18.19.0+dfsg-6 \|\| =18.19.0+dfsg-6~deb12u1 \|\| =18.19.0+dfsg-6~deb12u2 \|\| =18.19.1+dfsg-1 \|\| =18.19.1+dfsg-2 \|\| =18.19.1+dfsg-3 \|\| =18.19.1+dfsg-3.1 \|\| =18.19.1+dfsg-4 \|\| =18.19.1+dfsg-6 \|\| =18.20.1+dfsg-1 \|\| =18.20.1+dfsg-2 \|\| =18.20.1+dfsg-3 \|\| =18.20.1+dfsg-4 \|\| =18.20.4+dfsg-1~deb12u1 \|\| >=0 <18.20.4+dfsg-1~deb12u2	18.20.4+dfsg-1~deb12u2
rpm rhel9	nodejs	<1:20.20.2-1.module+el9.7.0+24193+41b7b572	1:20.20.2-1.module+el9.7.0+24193+41b7b572
rpm rhel8	nodejs	<1:20.20.2-1.module+el8.10.0+24197+1602b452	1:20.20.2-1.module+el8.10.0+24197+1602b452
alpine v3.21	nodejs	=22.11.0-r0 \|\| =22.11.0-r1 \|\| =22.13.1-r0 \|\| =22.15.1-r0 \|\| >=0 <22.22.2-r0	22.22.2-r0
debian 13	nodejs	=20.19.2+dfsg-1 \|\| =20.19.2+dfsg-1+deb13u1 \|\| >=0 <20.19.2+dfsg-1+deb13u2	20.19.2+dfsg-1+deb13u2
alpine v3.22	nodejs	=22.11.0-r0 \|\| =22.11.0-r1 \|\| =22.11.0-r2 \|\| =22.13.1-r0 \|\| =22.13.1-r1 \|\| =22.13.1-r2 \|\| =22.13.1-r3 \|\| =22.13.1-r4 \|\| =22.13.1-r5 \|\| =22.16.0-r0 \|\| =22.16.0-r1 \|\| =22.16.0-r2 \|\| =22.22.0-r0 \|\| >=0 <22.22.2-r0	22.22.2-r0
rpm rhel10	nodejs22	<1:22.22.2-1.el10_1	1:22.22.2-1.el10_1
rpm rhel10	nodejs24	<1:24.14.1-2.el10_1	1:24.14.1-2.el10_1

1-10 of 13

Aliases

1. CVE-2026-217102. NVD-2026-217103. OSV-DEBIAN-2026-217104. OSV-2026-217105. OSV-ALPINE-2026-217106. SECURITY-TRACKER-CVE-2026-217107. SECURITY-CVE-2026-21710

References

1. https://github.com/dajneem23/CVE-2026-21710

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.