CVE-2026-21637
BaseFortify
Publication date: 2026-01-20
Last updated on: 2026-01-30
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nodejs | node.js | From 4.0.0 (inc) to 20.20.0 (exc) |
| nodejs | node.js | From 22.0.0 (inc) to 22.22.0 (exc) |
| nodejs | node.js | From 24.0.0 (inc) to 24.13.0 (exc) |
| nodejs | node.js | From 25.0.0 (inc) to 25.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw in Node.js TLS error handling where synchronous exceptions thrown during the pskCallback or ALPNCallback bypass the standard TLS error handling. This can cause the TLS server process to terminate immediately or leak file descriptors silently, leading to resource exhaustion. The issue arises because these callbacks handle attacker-controlled input during the TLS handshake, allowing a remote attacker to repeatedly trigger the problem.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing remote attackers to crash your TLS server or exhaust its resources, resulting in denial of service. This happens because the server may terminate unexpectedly or leak resources when handling certain TLS handshake callbacks, which attackers can exploit repeatedly.