CVE-2026-21710

HIGH

Node.js 20.x 22.x 24.x 25.x - Denial of Service via __proto__ Header Handling

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-21710. PoCs published by open-flaw, dajneem23.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-21710, a DoS vulnerability in Node.js caused by prototype pollution in the `req.headersDistinct` getter. The PoC demonstrates the crash by sending a crafted HTTP request with a `__proto__` header.

Description

A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**

Exploits (2)

github WORKING POC
by open-flaw · javascriptpoc
https://github.com/open-flaw/CVE-2026-21710

This repository contains a functional proof-of-concept exploit for CVE-2026-21710, a DoS vulnerability in Node.js caused by prototype pollution in the `req.headersDistinct` getter. The PoC demonstrates the crash by sending a crafted HTTP request with a `__proto__` header.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Node.js 20.x, 22.x, 24.x, 25.x
No auth needed
Prerequisites: Node.js server running on the target · Access to send HTTP requests to the server
devstral-2 · analyzed May 17, 2026 Full analysis →
nomisec WORKING POC
by dajneem23 · poc
https://github.com/dajneem23/CVE-2026-21710

This repository contains a functional proof-of-concept exploit for CVE-2026-21710, a DoS vulnerability in Node.js caused by prototype pollution in the `req.headersDistinct` getter. The exploit sends a crafted HTTP request with a `__proto__` header, triggering an uncaught `TypeError` that crashes the Node.js process.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Node.js 20.x, 22.x, 24.x, 25.x
No auth needed
Prerequisites: A vulnerable Node.js HTTP server that accesses `req.headersDistinct`
devstral-2 · analyzed Apr 08, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 7.5
EPSS 0.0004
EPSS Percentile 13.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-770
Status published
Products (20)
nodejs/node 10.0 - 10.*
nodejs/node 11.0 - 11.*
nodejs/node 12.0 - 12.*
nodejs/node 13.0 - 13.*
nodejs/node 14.0 - 14.*
nodejs/node 15.0 - 15.*
nodejs/node 16.0 - 16.*
nodejs/node 17.0 - 17.*
nodejs/node 18.0 - 18.*
nodejs/node 19.0 - 19.*
... and 10 more
Published Mar 30, 2026
Tracked Since Mar 31, 2026