CVE-2026-21710 is a vulnerability in the Node.js HTTP server implementation affecting multiple active LTS and current releases including 20.x, 22.x, 24.x, and 25.x. The issue arises when an HTTP request includes a header named '__proto__' and the application accesses the req.headersDistinct property. Internally, the code attempts to push header values into an array stored in dest["__proto__"]. However, due to JavaScript prototype chain behavior, dest["__proto__"] resolves to Object.prototype instead of an array or undefined. Consequently, the .push() method is invoked on Object.prototype, which is not an array, causing a synchronous TypeError to be thrown inside a property getter. This exception bypasses Node.js’s usual error event listeners and cannot be intercepted or handled unless every access to req.headersDistinct is wrapped in try/catch blocks, which is impractical. The vulnerability leads to a denial of service (DoS) condition by crashing the HTTP server process. The CVSS v3.0 score is 7.5 (high), reflecting network exploitable, no privileges or user interaction required, and an impact limited to availability. No known exploits have been reported yet, but the widespread use of Node.js in web servers and applications makes this a significant risk. The flaw stems from improper handling of prototype pollution vectors in HTTP header processing, a common source of JavaScript security issues. The vulnerability affects all Node.js HTTP servers that rely on req.headersDistinct and do not implement additional input validation or error handling for this edge case.

The primary impact of CVE-2026-21710 is denial of service due to server crashes triggered by malicious HTTP requests containing the '__proto__' header. Organizations running vulnerable Node.js versions in production risk service outages, which can disrupt business operations, degrade user experience, and potentially cause financial losses. Since Node.js is widely used for web servers, APIs, and microservices globally, this vulnerability can affect a broad range of industries including technology, finance, e-commerce, and government services. The ease of exploitation—requiring no authentication or user interaction—means attackers can remotely trigger crashes simply by sending crafted HTTP requests. While the vulnerability does not directly compromise confidentiality or integrity, repeated exploitation could be used as part of larger denial of service campaigns or to distract from other attacks. The inability to catch the exception via standard error handlers complicates mitigation and increases the risk of unplanned downtime. Organizations with high-availability requirements or those relying heavily on Node.js HTTP servers should consider this vulnerability a critical operational risk.

To mitigate CVE-2026-21710, organizations should immediately upgrade to patched Node.js versions once available from the official Node.js project. Until patches are applied, developers should audit their code to identify all accesses to req.headersDistinct and wrap them in try/catch blocks to gracefully handle potential exceptions. Implementing strict input validation to reject or sanitize HTTP headers named '__proto__' at the application or proxy level can prevent exploitation. Web application firewalls (WAFs) and API gateways should be configured to block requests containing suspicious headers like '__proto__'. Monitoring HTTP traffic for anomalous headers and setting up alerts can help detect attempted exploitation. Additionally, deploying Node.js processes with process managers that automatically restart crashed services can reduce downtime impact. Finally, educating development teams about prototype pollution risks and secure coding practices in JavaScript can help prevent similar issues in the future.