CVE-2026-21637
Published: 20 January 2026
Summary
CVE-2026-21637 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Nodejs Node.Js. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-21637 is a flaw in Node.js TLS error handling that affects TLS servers using `pskCallback` or `ALPNCallback`. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths, such as tlsClientError and error events, resulting in immediate process termination or silent file descriptor leaks that lead to denial of service. These callbacks process attacker-controlled input during the TLS handshake, and the vulnerability impacts Node.js versions where such callbacks throw exceptions without safe wrapping.
Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity during TLS handshakes. By repeatedly triggering synchronous exceptions in the callbacks, attackers can crash the server process or cause gradual resource exhaustion through file descriptor leaks, achieving denial of service. The issue is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-400 (Uncontrolled Resource Consumption).
The Node.js security advisory provides details on patches and mitigation in its December 2025 security releases blog post at https://nodejs.org/en/blog/vulnerability/december-2025-security-releases.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3327
Vulnerability details
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and…
more
error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of public-facing Node.js TLS server (T1190) via attacker-controlled handshake input, directly resulting in application/system DoS through crashes or resource exhaustion (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation requires timely patching of the Node.js TLS error handling vulnerability as detailed in the December 2025 security releases to prevent DoS exploitation.
Denial-of-service protection implements measures like rate limiting TLS handshakes to block repeated remote triggering of crashes or file descriptor leaks.
Error handling ensures synchronous exceptions in PSK or ALPN callbacks during TLS handshakes are managed without bypassing standard paths, avoiding process termination or resource leaks.