TLS Error Handling Vulnerability in Node.js Affecting Remote Servers
CVE-2026-21637

5.9MEDIUM

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 20 January 2026

What is CVE-2026-21637?

A vulnerability in Node.js's handling of TLS errors exposes servers to potential denial of service attacks. This flaw allows remote attackers to exploit vulnerabilities in TLS server implementations using PSK (Pre-Shared Key) or ALPN (Application-Layer Protocol Negotiation) callbacks. During these callbacks, exceptions that are not properly managed can either terminate the process abruptly or lead to unnoticed file descriptor leaks. As these callbacks can handle input directed by an attacker during the TLS handshake, it permits continuous triggering of the flaw, which can exhaust server resources and lead to unavailability. This issue underscores the critical need for secure coding practices in managing TLS error handling in Node.js applications.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

node 20.19.6

node 22.21.1

node 24.12.0

References

https://nodejs.org/en/blog/vulnerability/december-2025-se...

CVSS V3.0

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 20, 2026
Vulnerability Reserved
Jan 1, 2026

JSON

Nodejs

What is CVE-2026-21637?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.0

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.