CVE-2026-21637

CVE-2026-21637

Name

CVE-2026-21637

Description

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
	https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Type

URI

https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Match rules

CPE URI	Source package	Min version	Max version
	node	>= 0	<= 20.19.6
	node	>= 0	<= 22.21.1
	node	>= 0	<= 24.12.0
	node	>= 0	<= 25.2.1
	node	>= 4.0	< 4.*
	node	>= 5.0	< 5.*
	node	>= 6.0	< 6.*
	node	>= 7.0	< 7.*
	node	>= 8.0	< 8.*
	node	>= 9.0	< 9.*
	node	>= 10.0	< 10.*
	node	>= 11.0	< 11.*
	node	>= 12.0	< 12.*
	node	>= 13.0	< 13.*
	node	>= 14.0	< 14.*
	node	>= 15.0	< 15.*
	node	>= 16.0	< 16.*
	node	>= 17.0	< 17.*
	node	>= 18.0	< 18.*
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 4.0.0	< 20.20.0
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 22.0.0	< 22.22.0
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 24.0.0	< 24.13.0
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 25.0.0	< 25.3.0

CPE URI

Source package

Min version

Max version

node

>= 0

<= 20.19.6

node

>= 0

<= 22.21.1

node

>= 0

<= 24.12.0

node

>= 0

<= 25.2.1

node

>= 4.0

< 4.*

node

>= 5.0

< 5.*

node

>= 6.0

< 6.*

node

>= 7.0

< 7.*

node

>= 8.0

< 8.*

node

>= 9.0

< 9.*

node

>= 10.0

< 10.*

node

>= 11.0

< 11.*

node

>= 12.0

< 12.*

node

>= 13.0

< 13.*

node

>= 14.0

< 14.*

node

>= 15.0

< 15.*

node

>= 16.0

< 16.*

node

>= 17.0

< 17.*

node

>= 18.0

< 18.*

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 4.0.0

< 20.20.0

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 22.0.0

< 22.22.0

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 24.0.0

< 24.13.0

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 25.0.0

< 25.3.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
nodejs	edge-main	24.13.0-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
nodejs	edge-main	24.11.1-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	24.11.1-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	24.11.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	22.21.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	22.19.0-r4	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	22.19.0-r3	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	22.16.0-r3	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	22.16.0-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	22.16.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	22.16.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	22.13.1-r5	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	22.13.1-r4	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	22.13.1-r3	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	22.13.1-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	22.13.1-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	22.13.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	22.11.0-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	22.11.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	22.11.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	20.15.1-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	20.15.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	20.13.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	20.12.2-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	20.12.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	20.12.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	20.11.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	20.11.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	20.10.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	20.10.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	20.9.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.18.2-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.18.2-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.18.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.18.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.17.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.17.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.16.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.16.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.16.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.15.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.15.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.14.2-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.14.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.14.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.13.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	18.12.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	16.18.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	16.18.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	16.17.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	16.17.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	16.16.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	16.16.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	16.13.2-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	14.18.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	14.17.6-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	14.17.5-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	14.17.4-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	14.16.1-r0	None	possibly vulnerable
nodejs	edge-main	14.16.0-r0	None	possibly vulnerable
nodejs	edge-main	14.15.5-r0	None	possibly vulnerable
nodejs	edge-main	14.15.4-r0	None	possibly vulnerable
nodejs	edge-main	14.15.1-r0	None	possibly vulnerable
nodejs	edge-main	12.18.4-r0	None	possibly vulnerable
nodejs	edge-main	12.18.0-r0	None	possibly vulnerable
nodejs	edge-main	12.15.0-r0	None	possibly vulnerable
nodejs	edge-main	10.16.3-r0	None	possibly vulnerable
nodejs	edge-main	10.15.3-r0	None	possibly vulnerable
nodejs	edge-main	10.14.0-r0	None	possibly vulnerable
nodejs	edge-main	8.11.4-r0	None	possibly vulnerable
nodejs	edge-main	8.11.3-r0	None	possibly vulnerable
nodejs	edge-main	8.11.0-r0	None	possibly vulnerable
nodejs	edge-main	8.9.3-r0	None	possibly vulnerable
nodejs	edge-main	6.11.5-r0	None	possibly vulnerable
nodejs	edge-main	6.11.1-r0	None	possibly vulnerable
nodejs	3.23-main	24.13.0-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
nodejs	3.23-main	24.11.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.22-main	22.22.0-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
nodejs	3.22-main	22.16.0-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.22-main	22.13.1-r0	None	possibly vulnerable
nodejs	3.22-main	20.15.1-r0	None	possibly vulnerable
nodejs	3.22-main	20.12.1-r0	None	possibly vulnerable
nodejs	3.22-main	18.18.2-r0	None	possibly vulnerable
nodejs	3.22-main	18.17.1-r0	None	possibly vulnerable
nodejs	3.22-main	18.14.1-r0	None	possibly vulnerable
nodejs	3.22-main	18.12.1-r0	None	possibly vulnerable
nodejs	3.22-main	16.17.1-r0	None	possibly vulnerable
nodejs	3.22-main	16.13.2-r0	None	possibly vulnerable
nodejs	3.22-main	14.18.1-r0	None	possibly vulnerable
nodejs	3.22-main	14.17.6-r0	None	possibly vulnerable
nodejs	3.22-main	14.17.5-r0	None	possibly vulnerable
nodejs	3.22-main	14.17.4-r0	None	possibly vulnerable
nodejs	3.22-main	14.16.1-r0	None	possibly vulnerable
nodejs	3.22-main	14.16.0-r0	None	possibly vulnerable
nodejs	3.22-main	14.15.5-r0	None	possibly vulnerable
nodejs	3.22-main	14.15.4-r0	None	possibly vulnerable
nodejs	3.22-main	14.15.1-r0	None	possibly vulnerable
nodejs	3.22-main	12.18.4-r0	None	possibly vulnerable
nodejs	3.22-main	12.18.0-r0	None	possibly vulnerable
nodejs	3.22-main	12.15.0-r0	None	possibly vulnerable
nodejs	3.22-main	10.16.3-r0	None	possibly vulnerable
nodejs	3.22-main	10.15.3-r0	None	possibly vulnerable
nodejs	3.22-main	10.14.0-r0	None	possibly vulnerable
nodejs	3.22-main	8.11.4-r0	None	possibly vulnerable
nodejs	3.22-main	8.11.3-r0	None	possibly vulnerable
nodejs	3.22-main	8.11.0-r0	None	possibly vulnerable
nodejs	3.22-main	8.9.3-r0	None	possibly vulnerable
nodejs	3.22-main	6.11.5-r0	None	possibly vulnerable
nodejs	3.22-main	6.11.1-r0	None	possibly vulnerable
nodejs	3.21-main	22.15.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.21-main	22.13.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.21-main	22.11.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.21-main	22.11.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.21-main	20.15.1-r0	None	possibly vulnerable
nodejs	3.21-main	20.12.1-r0	None	possibly vulnerable
nodejs	3.21-main	18.18.2-r0	None	possibly vulnerable
nodejs	3.21-main	18.17.1-r0	None	possibly vulnerable
nodejs	3.21-main	18.14.1-r0	None	possibly vulnerable
nodejs	3.21-main	18.12.1-r0	None	possibly vulnerable
nodejs	3.21-main	16.17.1-r0	None	possibly vulnerable
nodejs	3.21-main	16.13.2-r0	None	possibly vulnerable
nodejs	3.21-main	14.18.1-r0	None	possibly vulnerable
nodejs	3.21-main	14.17.6-r0	None	possibly vulnerable
nodejs	3.21-main	14.17.5-r0	None	possibly vulnerable
nodejs	3.21-main	14.17.4-r0	None	possibly vulnerable
nodejs	3.21-main	14.16.1-r0	None	possibly vulnerable
nodejs	3.21-main	14.16.0-r0	None	possibly vulnerable
nodejs	3.21-main	14.15.5-r0	None	possibly vulnerable
nodejs	3.21-main	14.15.4-r0	None	possibly vulnerable
nodejs	3.21-main	14.15.1-r0	None	possibly vulnerable
nodejs	3.21-main	12.18.4-r0	None	possibly vulnerable
nodejs	3.21-main	12.18.0-r0	None	possibly vulnerable
nodejs	3.21-main	12.15.0-r0	None	possibly vulnerable
nodejs	3.21-main	10.16.3-r0	None	possibly vulnerable
nodejs	3.21-main	10.15.3-r0	None	possibly vulnerable
nodejs	3.21-main	10.14.0-r0	None	possibly vulnerable
nodejs	3.21-main	8.11.4-r0	None	possibly vulnerable
nodejs	3.21-main	8.11.3-r0	None	possibly vulnerable
nodejs	3.21-main	8.11.0-r0	None	possibly vulnerable
nodejs	3.21-main	8.9.3-r0	None	possibly vulnerable
nodejs	3.21-main	6.11.5-r0	None	possibly vulnerable
nodejs	3.21-main	6.11.1-r0	None	possibly vulnerable
nodejs	3.20-main	20.15.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.20-main	20.13.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.20-main	20.12.1-r0	None	possibly vulnerable
nodejs	3.20-main	18.18.2-r0	None	possibly vulnerable
nodejs	3.20-main	18.17.1-r0	None	possibly vulnerable
nodejs	3.20-main	18.14.1-r0	None	possibly vulnerable
nodejs	3.20-main	18.12.1-r0	None	possibly vulnerable
nodejs	3.20-main	16.17.1-r0	None	possibly vulnerable
nodejs	3.20-main	16.13.2-r0	None	possibly vulnerable
nodejs	3.20-main	14.18.1-r0	None	possibly vulnerable
nodejs	3.20-main	14.17.6-r0	None	possibly vulnerable
nodejs	3.20-main	14.17.5-r0	None	possibly vulnerable
nodejs	3.20-main	14.17.4-r0	None	possibly vulnerable
nodejs	3.20-main	14.16.1-r0	None	possibly vulnerable
nodejs	3.20-main	14.16.0-r0	None	possibly vulnerable
nodejs	3.20-main	14.15.5-r0	None	possibly vulnerable
nodejs	3.20-main	14.15.4-r0	None	possibly vulnerable
nodejs	3.20-main	14.15.1-r0	None	possibly vulnerable
nodejs	3.20-main	12.18.4-r0	None	possibly vulnerable
nodejs	3.20-main	12.18.0-r0	None	possibly vulnerable
nodejs	3.20-main	12.15.0-r0	None	possibly vulnerable
nodejs	3.20-main	10.16.3-r0	None	possibly vulnerable
nodejs	3.20-main	10.15.3-r0	None	possibly vulnerable
nodejs	3.20-main	10.14.0-r0	None	possibly vulnerable
nodejs	3.20-main	8.11.4-r0	None	possibly vulnerable
nodejs	3.20-main	8.11.3-r0	None	possibly vulnerable
nodejs	3.20-main	8.11.0-r0	None	possibly vulnerable
nodejs	3.20-main	8.9.3-r0	None	possibly vulnerable
nodejs	3.20-main	6.11.5-r0	None	possibly vulnerable
nodejs	3.20-main	6.11.1-r0	None	possibly vulnerable
nodejs	3.19-main	20.15.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.19-main	20.12.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.19-main	20.11.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.19-main	20.11.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.19-main	20.10.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.19-main	20.10.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.19-main	18.18.2-r0	None	possibly vulnerable
nodejs	3.19-main	18.17.1-r0	None	possibly vulnerable
nodejs	3.19-main	18.14.1-r0	None	possibly vulnerable
nodejs	3.19-main	18.12.1-r0	None	possibly vulnerable
nodejs	3.19-main	16.17.1-r0	None	possibly vulnerable
nodejs	3.19-main	16.13.2-r0	None	possibly vulnerable
nodejs	3.19-main	14.18.1-r0	None	possibly vulnerable
nodejs	3.19-main	14.17.6-r0	None	possibly vulnerable
nodejs	3.19-main	14.17.5-r0	None	possibly vulnerable
nodejs	3.19-main	14.17.4-r0	None	possibly vulnerable
nodejs	3.19-main	14.16.1-r0	None	possibly vulnerable
nodejs	3.19-main	14.16.0-r0	None	possibly vulnerable
nodejs	3.19-main	14.15.5-r0	None	possibly vulnerable
nodejs	3.19-main	14.15.4-r0	None	possibly vulnerable
nodejs	3.19-main	14.15.1-r0	None	possibly vulnerable
nodejs	3.19-main	12.18.4-r0	None	possibly vulnerable
nodejs	3.19-main	12.18.0-r0	None	possibly vulnerable
nodejs	3.19-main	12.15.0-r0	None	possibly vulnerable
nodejs	3.19-main	10.16.3-r0	None	possibly vulnerable
nodejs	3.19-main	10.15.3-r0	None	possibly vulnerable
nodejs	3.19-main	10.14.0-r0	None	possibly vulnerable
nodejs	3.19-main	8.11.4-r0	None	possibly vulnerable
nodejs	3.19-main	8.11.3-r0	None	possibly vulnerable
nodejs	3.19-main	8.11.0-r0	None	possibly vulnerable
nodejs	3.19-main	8.9.3-r0	None	possibly vulnerable
nodejs	3.19-main	6.11.5-r0	None	possibly vulnerable
nodejs	3.19-main	6.11.1-r0	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages