Home

Description

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.

PUBLISHED Reserved 2026-01-01 | Published 2026-01-20 | Updated 2026-01-21 | Assigner hackerone




MEDIUM: 5.9CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Product status

Default status
unaffected

20.19.6 (semver)
affected

22.21.1 (semver)
affected

24.12.0 (semver)
affected

25.2.1 (semver)
affected

4.0 (semver) before 4.*
affected

5.0 (semver) before 5.*
affected

6.0 (semver) before 6.*
affected

7.0 (semver) before 7.*
affected

8.0 (semver) before 8.*
affected

9.0 (semver) before 9.*
affected

10.0 (semver) before 10.*
affected

11.0 (semver) before 11.*
affected

12.0 (semver) before 12.*
affected

13.0 (semver) before 13.*
affected

14.0 (semver) before 14.*
affected

15.0 (semver) before 15.*
affected

16.0 (semver) before 16.*
affected

17.0 (semver) before 17.*
affected

18.0 (semver) before 18.*
affected

References

nodejs.org/.../vulnerability/december-2025-security-releases

cve.org (CVE-2026-21637)

nvd.nist.gov (CVE-2026-21637)

Download JSON