CVE-2026-21713
ADVISORY - nistSummary
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.
Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.
This vulnerability affects 20.x, 22.x, 24.x, and 25.x.
Common Weakness Enumeration (CWE)
Observable Timing Discrepancy
Observable Timing Discrepancy
Docker
BSA-2026-21713
-
Docker
CVE-2026-21713
-
NIST
2.2
CVSS SCORE
5.9mediumAlpine
-
Debian
-
CVSS SCORE
N/AlowUbuntu
-
CVSS SCORE
N/AmediumAlma
-
CVSS SCORE
N/AhighAlma
-
CVSS SCORE
N/AhighAmazon
-
CVSS SCORE
N/AhighAmazon
-
CVSS SCORE
N/AhighAmazon
-
CVSS SCORE
N/AhighBitnami
BIT-node-2026-21713
2.2
CVSS SCORE
5.9mediumBitnami
BIT-node-min-2026-21713
2.2
CVSS SCORE
5.9mediumRed Hat
2.2
CVSS SCORE
5.9mediumRocky
-
CVSS SCORE
N/AhighRocky
-
CVSS SCORE
N/AhighRocky
-
CVSS SCORE
N/AhighOracle
-
CVSS SCORE
N/AhighOracle
-
CVSS SCORE
N/AhighOracle
-
CVSS SCORE
N/AhighChainguard
CGA-9v96-6p33-r65p
-
Photon
CVE-2026-21713
-
CVSS SCORE
5.9mediumminimos
MINI-5m45-3fv3-rpph
-
minimos
MINI-5vmg-c4pg-wxvh
-
minimos
MINI-676p-56mf-w5j9
-
minimos
MINI-8mg6-fvq7-7hm3
-
minimos
MINI-92q8-8vvh-vrqr
-
minimos
MINI-ccvq-wpv6-7cq2
-
minimos
MINI-frph-59pj-r7j8
-