Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10034

node is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)CVE-2026-21637 Published Jan 14, 2026

50

Medium Risk

This Affects:

OSnode
0.0.1 - 20.19.6
Fixed in 20.20.0
21.0.0 - 22.21.1
Fixed in 22.22.0
23.0.0 - 24.12.0
Fixed in 24.13.0
25.0.0 - 25.2.0
Fixed in 25.3.0
Are you affected? Scan for Free

TL;DR

Affected versions of the package are vulnerable to denial-of-service conditions due to improper TLS error handling when pskCallback or ALPNCallback are used. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), resulting in either immediate process termination or silent file descriptor leaks that can exhaust resources over time. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

node is vulnerable to Denial of Service (DoS) in versions 25.0.0 - 25.2.0, 23.0.0 - 24.12.0, 21.0.0 - 22.21.1 and 0.0.1 - 20.19.6.

How to fix this

Upgrade the node library to a patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done