Cyber Posture

CVE-2026-21637

High

Published: 20 January 2026

Published
20 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0004 13.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21637 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Nodejs Node.Js. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-10 Concurrent Session Control
addresses: CWE-400

Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.

AU-6 Audit Record Review, Analysis, and Reporting
addresses: CWE-400

Analysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts.

CP-4 Contingency Plan Testing
addresses: CWE-400

Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.

CP-5 Contingency Plan Update
addresses: CWE-400

Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.

CP-7 Alternate Processing Site
addresses: CWE-400

Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.

CP-8 Telecommunications Services
addresses: CWE-400

Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.

IR-10 Integrated Information Security Analysis Team
addresses: CWE-400

The team can analyze and respond to resource exhaustion incidents, reducing the impact of attacks that exploit uncontrolled consumption weaknesses.

MA-6 Timely Maintenance
addresses: CWE-400

Timely maintenance support and spare parts enable rapid recovery from failures induced by uncontrolled resource consumption, shortening the impact window of denial-of-service attacks.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Vulnerability enables remote exploitation of public-facing Node.js TLS server (T1190) via attacker-controlled handshake input, directly resulting in application/system DoS through crashes or resource exhaustion (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and…

more

error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.

Deeper analysisAI

CVE-2026-21637 is a flaw in Node.js TLS error handling that affects TLS servers using `pskCallback` or `ALPNCallback`. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths, such as tlsClientError and error events, resulting in immediate process termination or silent file descriptor leaks that lead to denial of service. These callbacks process attacker-controlled input during the TLS handshake, and the vulnerability impacts Node.js versions where such callbacks throw exceptions without safe wrapping.

Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity during TLS handshakes. By repeatedly triggering synchronous exceptions in the callbacks, attackers can crash the server process or cause gradual resource exhaustion through file descriptor leaks, achieving denial of service. The issue is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-400 (Uncontrolled Resource Consumption).

The Node.js security advisory provides details on patches and mitigation in its December 2025 security releases blog post at https://nodejs.org/en/blog/vulnerability/december-2025-security-releases.

Details

CWE(s)
CWE-400

Affected Products

nodejs
node.js
4.0.0 — 20.20.0 · 22.0.0 — 22.22.0 · 24.0.0 — 24.13.0

CVEs Like This One

CVE-2025-59464Same product: Nodejs Node.Js
CVE-2025-59466Same product: Nodejs Node.Js
CVE-2026-21636Same product: Nodejs Node.Js
CVE-2025-55130Same product: Nodejs Node.Js
CVE-2025-24269Shared CWE-400
CVE-2025-65890Shared CWE-400
CVE-2025-27669Shared CWE-400
CVE-2024-54730Shared CWE-400
CVE-2026-22036Same vendor: Nodejs
CVE-2026-1526Same vendor: Nodejs

References