Detections
Analytics

Node.js 20.x < 20.20.2 Multiple Vulnerabilities (Tuesday, March 24, 2026 Security Releases).

high Nessus Plugin ID 303494

Synopsis

Node.js - JavaScript run-time environment is affected by multiple vulnerabilities.

Description

The version of Node.js installed on the remote host is prior to 20.20.2. It is, therefore, affected by multiple vulnerabilities as referenced in the Tuesday, March 24, 2026 Security Releases advisory.

 - A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped. (CVE-2026-21637)

 - A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a read-only file descriptor to change the owner and permissions of a file. (CVE-2024-36137)

 - A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named __proto__ and the application accesses req.headersDistinct. When this occurs, dest[__proto__] resolves to Object.prototype rather than undefined, causing .push() to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by error event listeners, meaning it cannot be handled without wrapping every req.headersDistinct access in a try/catch. Thank you, to yushengchen for reporting this vulnerability and thank you mcollina for fixing it. (CVE-2026-21710)

 - A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under --permission without --allow-net can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary. Thank you, to xavlimsg for reporting this vulnerability and thank you RafaelGSS for fixing it.
 (CVE-2026-21711)

 - A flaw in Node.js URL processing causes an assertion failure in native code when url.format() is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process. Thank you, to wooffie for reporting this vulnerability and thank you RafaelGSS for fixing it.
 (CVE-2026-21712)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Node.js version 20.20.2 or later.

See Also

http://www.nessus.org/u?4d3e9120

Plugin Details

Severity: High

ID: 303494

File Name: nodejs_2026_mar_24.nasl

Version: 1.1

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 3/24/2026

Updated: 3/24/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-21637

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:nodejs:node.js

Required KB Items: installed_sw/Node.js

Exploit Ease: No known exploits are available

Patch Publication Date: 3/24/2026

Vulnerability Publication Date: 7/8/2024

Reference Information

CVE: CVE-2024-36137, CVE-2026-21637, CVE-2026-21710, CVE-2026-21711, CVE-2026-21712, CVE-2026-21713, CVE-2026-21714, CVE-2026-21715, CVE-2026-21717

IAVB: 2024-B-0083-S, 2026-B-0013