CVE-2026-21714
Memory Leak in Node.js HTTP/2 Server via WINDOW_UPDATE Frames
Publication date: 2026-03-30
Last updated on: 2026-03-31
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nodejs | node.js | 20 |
| nodejs | node.js | 22 |
| nodejs | node.js | 24 |
| nodejs | node.js | 25 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a memory leak in Node.js HTTP/2 servers. It happens when a client sends WINDOW_UPDATE frames on stream 0 (which is the connection-level stream) that increase the flow control window beyond its maximum allowed value of 2Β³ΒΉ-1. Although the server responds correctly by sending a GOAWAY frame to terminate the connection, it fails to clean up the associated Http2Session object, causing memory to be retained unnecessarily.
How can this vulnerability impact me? :
The impact of this vulnerability is a memory leak on the server running Node.js HTTP/2. Over time, if exploited, this can cause increased memory usage leading to degraded server performance or even crashes due to exhaustion of available memory. This can affect the availability of services relying on the vulnerable Node.js versions.