Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server
when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks
bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process
termination or silent file descriptor leaks that eventually lead to denial of service. Because these
callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly
trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js
versions where these callbacks throw without being safely wrapped. (CVE-2026-21637)
- A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a
header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs,
`dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called
on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted
by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct`
access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and
v25.x** (CVE-2026-21710)
- A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called
with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js
process. (CVE-2026-21712)
- A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided
signatures, potentially leaking timing information proportional to the number of matching bytes. Under
certain threat models where high-resolution timing measurements are possible, this behavior could be
exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison
primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional
design decision. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**. (CVE-2026-21713)
Solution
Update the nodejs library and its related packages to version 24.14.1-r0 or later.
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
Exploit Ease: Exploits are available
Vulnerability Publication Date: 1/13/2026