Primary

Context

Node.js Timing Side-Channel Vulnerability in HMAC Verification Could Lead to MAC Forgery

Vulnerability

Patched

A timing side-channel vulnerability has been identified in Node.js HMAC verification. The flaw arises because user-provided signatures are validated using a non-constant-time comparison, which can inadvertently leak timing information based on the number of matching bytes. In environments where high-resolution timing measurements are feasible, this behavior could be exploited as a timing oracle to infer HMAC values. This issue affects Node.js versions 20.x, 22.x, 24.x, and 25.x.

Impact

Exploitation of this vulnerability could allow an attacker to use timing measurements to infer HMAC values, potentially leading to MAC forgery.

Remediation

Users can upgrade to Node.js versions 20.20.2, 22.22.2, 24.14.1, or 25.8.2 to address this vulnerability.

Added: Mar 30, 2026, 8:39 PM

Updated: Mar 30, 2026, 8:39 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

3.1

exploitability

4.3

remediation

7.7

relevance

4.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

3.1

exploitability

4.3

remediation

7.7

relevance

4.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Node.js Timing Side-Channel Vulnerability in HMAC Verification Could Lead to MAC Forgery

Vulnerability

Impact

Remediation

Affected Products

Node.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating