Node.js
Moderate fix4 remedies
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*, +2 more
Moderate fix4 remedies
- ~20
- ~22
- ~24
- ~25
Node.js Denial-of-Service Vulnerability via `__proto__` Header in HTTP Request Handling
Vulnerability
Patched
A denial-of-service vulnerability has been identified in Node.js versions 20.x, 22.x, 24.x, and 25.x. The issue arises in the HTTP request handling when a request includes a header named `__proto__`. If the application accesses `req.headersDistinct`, the `__proto__` header resolves to `Object.prototype` instead of `undefined`. This misalignment causes a `TypeError` by attempting to call `.push()` on a non-array. The error is thrown synchronously within a property getter, bypassing `error` event listeners and creating a crash. To manage this vulnerability, every access to `req.headersDistinct` must be wrapped in a `try/catch` block.
Impact
Exploitation of this vulnerability leads to an uncaught `TypeError`, causing the Node.js process to crash.
Remediation
Users can update to Node.js versions 20.20.2, 22.22.2, 24.14.1, or 25.8.2 to address this vulnerability.
Added: Mar 30, 2026, 8:41 PM
Updated: Mar 30, 2026, 8:41 PM
Vulnerability Rating
Custom Algorithm
spread
7.8impact
2.5exploitability
4.3remediation
7.7relevance
4.9threat
0.0urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.