Sign In

CVE-2026-21710

ADVISORY - nist

Summary

A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named __proto__ and the application accesses req.headersDistinct.

When this occurs, dest["__proto__"] resolves to Object.prototype rather than undefined, causing .push() to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by error event listeners, meaning it cannot be handled without wrapping every req.headersDistinct access in a try/catch.

  • This vulnerability affects all Node.js HTTP servers on 20.x, 22.x, 24.x, and v25.x
EPSS Score: 0.00028 (0.081)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-770

Allocation of Resources Without Limits or Throttling

ADVISORY - redhat

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in