BIT-node-2026-21637

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/node/BIT-node-2026-21637.json
JSON Data
https://api.test.osv.dev/v1/vulns/BIT-node-2026-21637
Aliases
Published
2026-01-26T14:48:02.384Z
Modified
2026-02-01T16:56:19.645842Z
Summary
[none]
Details

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.

Database specific 
{
    "severity": "High",
    "cpes": [
        "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*"
    ]
}
References

Affected packages

Bitnami / node

Package

Name
node
Purl
pkg:bitnami/node

Severity

  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
20.20.0
Introduced
21.0.0
Fixed
22.22.0
Introduced
23.0.0
Fixed
24.13.0
Introduced
25.0.0
Fixed
25.3.0

Database specific

source 
"https://github.com/bitnami/vulndb/tree/main/data/node/BIT-node-2026-21637.json"