Cyber Resilience

CVE-2026-21637

HighDDoS

Published: 20 January 2026

Published
20 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 10.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21637 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Nodejs Node.Js. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-21637 is a flaw in Node.js TLS error handling that affects TLS servers using `pskCallback` or `ALPNCallback`. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths, such as tlsClientError and error events, resulting in immediate process termination or silent file descriptor leaks that lead to denial of service. These callbacks process attacker-controlled input during the TLS handshake, and the vulnerability impacts Node.js versions where such callbacks throw exceptions without safe wrapping.

Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity during TLS handshakes. By repeatedly triggering synchronous exceptions in the callbacks, attackers can crash the server process or cause gradual resource exhaustion through file descriptor leaks, achieving denial of service. The issue is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-400 (Uncontrolled Resource Consumption).

The Node.js security advisory provides details on patches and mitigation in its December 2025 security releases blog post at https://nodejs.org/en/blog/vulnerability/december-2025-security-releases.

EU & UK References

Vulnerability details

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and…

more

error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables remote exploitation of public-facing Node.js TLS server (T1190) via attacker-controlled handshake input, directly resulting in application/system DoS through crashes or resource exhaustion (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-59464Same product: Nodejs Node.Js
CVE-2025-59466Same product: Nodejs Node.Js
CVE-2026-21636Same product: Nodejs Node.Js
CVE-2025-55130Same product: Nodejs Node.Js
CVE-2026-39304Shared CWE-400
CVE-2026-1525Same vendor: Nodejs
CVE-2025-27669Shared CWE-400
CVE-2026-27888Shared CWE-400
CVE-2025-59472Shared CWE-400
CVE-2025-40944Shared CWE-400

Affected Assets

nodejs
node.js
4.0.0 — 20.20.0 · 22.0.0 — 22.22.0 · 24.0.0 — 24.13.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of the Node.js TLS error handling vulnerability as detailed in the December 2025 security releases to prevent DoS exploitation.

prevent

Denial-of-service protection implements measures like rate limiting TLS handshakes to block repeated remote triggering of crashes or file descriptor leaks.

prevent

Error handling ensures synchronous exceptions in PSK or ALPN callbacks during TLS handshakes are managed without bypassing standard paths, avoiding process termination or resource leaks.

References