CVE-2026-21713
ADVISORY - nistSummary
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.
Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.
This vulnerability affects 20.x, 22.x, 24.x, and 25.x.
EPSS Score: 0.00385 (0.306)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Observable Timing Discrepancy
ADVISORY - redhat
Observable Timing Discrepancy
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in