Home / Vulnerability Intelligence / CVE-2026-21710

CVE-2026-21710 - Vulnerability Analysis

HighCVSS: 7.5

Last Updated: March 31, 2026

Node.js - Denial of Service

Published: March 30, 2026Updated: March 31, 2026PoC AvailableRemote Exploitable

Overview

Node.js HTTP servers 20.x, 22.x, 24.x, and v25.x contain a denial of service caused by uncaught TypeError triggered by requests with '__proto__' header accessing req.headersDistinct, letting attackers crash the server, exploit requires sending crafted HTTP requests.

Severity & Score

Severity: High

CVSS Score: 7.5

EPSS Score: 1.4%(Probability of exploitation in next 30 days)

Impact

Attackers can cause the server to crash, resulting in denial of service.

Mitigation

Update to the latest Node.js version where this issue is fixed.

References

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 30, 2026

🟠 CVE-2026-21710 - High (7.5) A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prot... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-21710/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-21710
Severity: High
CVSS Score: 7.5
Type: undefined
Status: new
EPSS: 1.4%
Social Posts: 1

CWE

CWE-770

CVSS Metrics

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score

1.4%Probability of exploitation in the next 30 days