This vulnerability in Node.js HTTP servers arises from improper handling of a header named '__proto__' in the req.headersDistinct property. Accessing this property leads to a TypeError because '__proto__' resolves to Object.prototype, causing a push method call on a non-array object. The exception is thrown synchronously within a property getter and bypasses error event listeners, making it difficult to handle without explicit try/catch blocks. Affected versions include all Node.js HTTP servers on 20.x, 22.x, 24.x, 25.x, and earlier major versions. The CVSS 3.0 score is 7.5, indicating high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to availability (denial of service). No official patch or vendor advisory is currently referenced.

The vulnerability causes a denial of service condition by triggering an uncaught synchronous TypeError when processing HTTP requests with a '__proto__' header. This can crash or disrupt Node.js HTTP servers that access req.headersDistinct without proper error handling. There is no impact on confidentiality or integrity according to the CVSS vector. No known exploits in the wild have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, applications should implement defensive coding by wrapping all accesses to req.headersDistinct in try/catch blocks to prevent unhandled exceptions. Avoid processing requests with suspicious '__proto__' headers if possible. Monitor official Node.js channels for updates and patches.