Home
MEDIUM: 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NDefault status
unaffected
20.20.1 (semver)
affected
22.22.1 (semver)
affected
24.14.0 (semver)
affected
25.8.1 (semver)
affected
4.0 (semver) before 4.*
affected
5.0 (semver) before 5.*
affected
6.0 (semver) before 6.*
affected
7.0 (semver) before 7.*
affected
8.0 (semver) before 8.*
affected
9.0 (semver) before 9.*
affected
10.0 (semver) before 10.*
affected
11.0 (semver) before 11.*
affected
12.0 (semver) before 12.*
affected
13.0 (semver) before 13.*
affected
14.0 (semver) before 14.*
affected
15.0 (semver) before 15.*
affected
16.0 (semver) before 16.*
affected
17.0 (semver) before 17.*
affected
18.0 (semver) before 18.*
affected
19.0 (semver) before 19.*
affected
Description
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
Product status
20.20.1 (semver)
22.22.1 (semver)
24.14.0 (semver)
25.8.1 (semver)
4.0 (semver) before 4.*
5.0 (semver) before 5.*
6.0 (semver) before 6.*
7.0 (semver) before 7.*
8.0 (semver) before 8.*
9.0 (semver) before 9.*
10.0 (semver) before 10.*
11.0 (semver) before 11.*
12.0 (semver) before 12.*
13.0 (semver) before 13.*
14.0 (semver) before 14.*
15.0 (semver) before 15.*
16.0 (semver) before 16.*
17.0 (semver) before 17.*
18.0 (semver) before 18.*
19.0 (semver) before 19.*
References
nodejs.org/...log/vulnerability/march-2026-security-releases