CVE-2026-21637
📋 TL;DR
A Node.js TLS vulnerability allows remote attackers to crash TLS servers or cause resource exhaustion by triggering unhandled exceptions in PSK or ALPN callbacks during TLS handshakes. This affects any Node.js TLS server using PSK (Pre-Shared Key) or ALPN (Application-Layer Protocol Negotiation) callbacks that throw synchronous exceptions without proper error wrapping. The vulnerability leads to denial of service through process termination or file descriptor leaks.
💻 Affected Systems
- Node.js
📦 What is this software?
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
⚠️ Risk & Real-World Impact
Worst Case
Complete TLS server process termination leading to immediate service disruption, or silent file descriptor exhaustion causing eventual denial of service for all connections.
Likely Case
Service degradation or intermittent crashes as attackers repeatedly trigger the vulnerability, leading to resource exhaustion and connection failures.
If Mitigated
Limited impact with proper network segmentation and rate limiting, though vulnerable systems remain at risk of targeted attacks.
🎯 Exploit Status
Exploitation requires sending specially crafted TLS handshake packets to trigger exceptions in callbacks. No authentication needed as it targets the TLS handshake process.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Node.js versions from December 2025 security releases onward
Vendor Advisory: https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
Restart Required: Yes
Instructions:
1. Check current Node.js version with 'node --version'. 2. Update to the latest patched version using your package manager (e.g., 'npm update -g node' or system package manager). 3. Restart all Node.js TLS server applications using PSK or ALPN callbacks.
🔧 Temporary Workarounds
Disable PSK/ALPN Callbacks
allRemove or disable PSK and ALPN callback usage in TLS server configurations if not required for functionality.
Modify Node.js TLS server code to not use 'pskCallback' or 'ALPNCallback' options
Wrap Callbacks in Try-Catch
allManually wrap PSK and ALPN callbacks in try-catch blocks to prevent synchronous exceptions from bypassing error handling.
Wrap callback functions: try { /* callback logic */ } catch(e) { /* handle error */ }
🧯 If You Can't Patch
- Implement network-level controls: Use firewalls or WAFs to limit TLS handshake attempts and rate-limit connections to vulnerable servers.
- Monitor resource usage: Closely monitor file descriptor counts and process stability for TLS servers, with automated alerts for abnormal behavior.
🔍 How to Verify
Check if Vulnerable:
Check if your Node.js TLS server code uses 'pskCallback' or 'ALPNCallback' options. If yes and Node.js version is before December 2025 security releases, assume vulnerable.Check Version:
node --versionVerify Fix Applied:
After updating Node.js, verify the version is from December 2025 or later with 'node --version', and ensure TLS servers with PSK/ALPN callbacks no longer crash when exceptions occur.📡 Detection & Monitoring
Log Indicators:
- Unexpected process termination logs for Node.js TLS servers
- Error messages related to TLS handshake failures or uncaught exceptions in PSK/ALPN contexts
- Increased file descriptor usage warnings
Network Indicators:
- Multiple rapid TLS handshake attempts from single sources
- Abnormal TLS protocol patterns targeting PSK or ALPN negotiation
SIEM Query:
source="nodejs" AND (event="process_exit" OR error="uncaughtException") AND message="*TLS*" OR "*psk*" OR "*ALPN*"