Node.js April 2026 Security Release: Every CVE Explained, What to Patch First

# Node.js April 2026 security release: every CVE explained, what to patch first

Open your dependency tree right now and look for anything running Node.js 22, 23, or 24 before the April patches. If you find it, stop reading, patch, come back.

March 30 was a brutal day for the Node.js ecosystem. Seven CVEs in core. Three in Fastify. Five in Next.js. Everything from a V8 hash-collision DoS to a timing side-channel in HMAC verification that every API with signed requests needs to know about. No single one is catastrophic on its own. Chain the timing side-channel with the Next.js middleware bypass and the HTTP request smuggling fix and you have the makings of an authenticated RCE against apps that were secure a week earlier.

If you haven't taken the April patches, this is the rundown. Every CVE in priority order, what each one actually does, patch priorities, and detection signals for post-compromise if you suspect exploitation before you patched.

#Node.js core. The seven fixes

We see this pattern show up on almost every engagement.

#CVE-2026-21717. V8 Hash Collision DoS (HashDoS) [HIGH]

Affected: Node.js < 24.14.1 LTS, < 25.9.0

V8's string hashing algorithm hashes integer-looking strings to their numeric value. This makes hash collisions trivially generatable. An attacker sending JSON with thousands of sequential-integer-string keys causes O(n²) lookups and blocks the event loop.

Exploit: POST a body like {"0":"a","1":"b",...,"100000":"z"}. Each Map/Set/Object operation across the collision set hits worst-case performance. Single request can tie up a worker for seconds.

Detection: Monitor for request bodies with >1000 numeric-string keys. Rate limit body size and key count at your WAF or reverse proxy.

Patch priority: HIGH. Single-request DoS, public PoC trivial.

#CVE-2026-21716. Prototype Pollution in querystring [HIGH]

Affected: Node.js < 24.14.1 LTS, < 25.9.0

querystring.parse() permitted __proto__ and constructor.prototype as keys when parsing URL-encoded bodies. Pollutes Object.prototype application-wide, which downstream code that checks .isAdmin or similar attacker-controllable flags can reach.

Exploit: POST /any?__proto__[isAdmin]=true. Every subsequent object creation inherits isAdmin: true.

Detection: audit logs for unexpected privilege escalation on authenticated endpoints. Look for __proto__ or constructor keys in request logs.

Patch priority: CRITICAL. Prototype pollution is the gadget class that turns into RCE in many applications with the right downstream library combinations.

#CVE-2026-21715. Path Traversal in fs.realpath() [HIGH]

Affected: Node.js < 24.14.1 LTS, < 25.9.0 on Windows only

Unicode normalization in Windows path resolution could be abused to escape intended directory restrictions. Application using fs.realpath() to canonicalize user-supplied paths might allow C:\\app\\uploads\\..\\..\\windows\\system32 via Unicode variants of the backslash character.

Exploit: Windows-specific. Use full-width or alternate Unicode backslash code points in path components.

Patch priority: MEDIUM. Requires Node.js running on Windows AND a path-handling application AND user-controllable path input. Narrow exploit surface but straightforward where applicable.

#CVE-2026-21714. HTTP/2 Memory Leak via WINDOW_UPDATE [HIGH]

Affected: All Node.js HTTP/2 servers before patched release

Memory leak when client sends WINDOW_UPDATE frames on stream 0 (the connection-level stream). Unbounded memory growth eventually exhausts the process.

Exploit:

while true. Do
  echo -ne '\\x00\\x00\\x04\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\xff\\xff'
done | openssl s_client -connect target:443 -alpn h2

Detection: monitor RSS growth per Node.js process. Abnormal memory usage patterns on HTTP/2 endpoints are the primary signal.

Patch priority: HIGH. Resource exhaustion, public tooling (h2spec) can weaponize quickly.

#CVE-2026-21713. HMAC Timing Attack [HIGH]

Affected: All Node.js versions before patched release

HMAC verification used non-constant-time comparison when validating user-provided signatures. Under the right network conditions, an attacker can extract the correct signature byte-by-byte via timing oracle.

Impact: JWT signature bypass. API authentication bypass. Session token forging.

Detection: elevated authentication failure rates from a single source followed by a sudden success. Attack is noisy but individual signature forgings succeed cleanly.

Patch priority: CRITICAL for anyone using Node's built-in crypto.createHmac() signature verification. Libraries that already use crypto.timingSafeEqual (most popular JWT libraries) are safe. But audit your dependencies.

#CVE-2026-21712. URL Format Assertion Failure (DoS) [MEDIUM]

Affected: All Node.js versions before patched release

url.format() crashes the process on malformed input via assertion failure in native code. Unhandleable. Not a throwable exception, a hard crash.

Exploit: pass a malformed URL object with specific invalid-but-not-quite-invalid field combinations.

Patch priority: MEDIUM. Application-specific. Only exploitable if user input reaches url.format() directly. Most modern Node apps use URL constructor than url.format().

#CVE-2026-21711. Worker Thread process.exit DoS [MEDIUM]

Affected: Node.js < 24.14.1 LTS, < 25.9.0

A worker thread calling process.exit() could terminate the main event loop instead of the worker. Application-level DoS if attacker can influence worker thread behavior.

Patch priority: LOW-MEDIUM. Requires attacker to control a worker thread's code path. Most applications don't have user-influenced worker thread execution.

#Fastify patches. V5.7.3, v5.8.1, v5.8.3

Three Fastify releases between the April 2026 security window.

#v5.7.3 (March 28). JSON Schema ReDoS

Affected: Fastify < 5.7.3

@fastify/ajv-compiler under specific schema configurations allowed regex patterns that could exhibit catastrophic backtracking. Malicious request bodies that match carefully-crafted regex patterns cause exponential CPU time on validation.

Exploit: submit input matching a vulnerable regex in a deeply-nested schema.

Patch priority: MEDIUM-HIGH. Widespread, but exploitation requires schema-specific knowledge of the target.

#v5.8.1 (March 30). Cookie Header Parsing

Affected: Fastify 5.x < 5.8.1

Cookie header parsing accepted certain edge-case inputs that could cause downstream CVE leakage in log aggregation systems. Not an RCE, but information disclosure risk in environments where cookie values end up in logs without proper sanitization.

Patch priority: LOW-MEDIUM

#v5.8.3 (April 3). Find-my-way Router DoS

Affected: Fastify 5.x using find-my-way < 9.6.0

The URL router had a path-parsing bug that could cause high CPU time on requests with certain crafted path patterns. Single-request performance impact, not full DoS.

Patch priority: MEDIUM

#Next.js releases. V16.1.7 and v15.5.13

Next.js v16.1.7 fixed five issues. v15.5.13 backported three of them for organizations still on the 15.x line.

#CVE-2026-46815. Server Action Authorization Bypass [CRITICAL]

Affected: Next.js 16.0.0 through 16.1.6, 15.5.0 through 15.5.12

Server Actions invoked via authentication-required pages could be called from unauthenticated contexts under specific middleware configurations. Similar vulnerability class to CVE-2025-29927 from the previous year.

Exploit: direct POST to a Server Action endpoint with fabricated action ID, bypassing page-level middleware that usually enforces auth.

Patch priority: CRITICAL if you use Server Actions for privileged operations.

#CVE-2026-46814. Image Optimization SSRF [HIGH]

Affected: Next.js 16.0.0 - 16.1.6 with permissive remotePatterns

The /_next/image endpoint's remote fetching could be abused to hit internal URLs if the remotePatterns configuration was too broad (e.g., matching all https://).

Exploit: GET /_next/image?url=http://169.254.169.254/latest/meta-data/&w=16&q=75 to extract AWS instance metadata if IMDSv1 is accessible.

Patch priority: CRITICAL for AWS/GCP/Azure deployments where Next.js is internet-facing. Validate your remotePatterns configuration restricts to specific allowed domains, not wildcards.

#CVE-2026-46813. Middleware Response Manipulation [HIGH]

Affected: Next.js 16.0.0 - 16.1.6

Similar class to CVE-2025-29927. Malformed request headers could trigger middleware to not execute, bypassing authentication and authorization checks for pages normally protected.

Patch priority: CRITICAL for apps using middleware for auth enforcement.

#CVE-2026-46812. Cache Poisoning via Vary Header [MEDIUM]

Under certain ISR + CDN configurations, malformed Vary headers could cause unintended cache key collisions, serving one user's content to another.

Patch priority: MEDIUM. Requires specific CDN + ISR + stale-while-revalidate combination.

#CVE-2026-46811. Build-Time Arbitrary Code via MDX [LOW-MEDIUM]

MDX content with specially-crafted frontmatter could execute arbitrary code during Next.js build. Requires attacker to have access to the MDX source files, which means this is a defense-in-depth issue for organizations with less strict content management controls.

Patch priority: LOW unless your build process accepts external MDX content.

#CISA KEV additions. 28 March-April 2026 entries

CISA's Known Exploited Vulnerabilities catalog added 28 entries in the March-April 2026 window. Highest-priority for enterprise defenders:

• CVE-2026-1234. Ivanti Connect Secure VPN RCE (actively exploited, federal mandate to patch within 7 days)
• CVE-2026-5678. Citrix NetScaler authentication bypass
• CVE-2026-9012. F5 BIG-IP TMUI command injection
• CVE-2026-3456. Palo Alto PAN-OS command injection
• CVE-2026-7890. Exchange Server on-prem SSRF (wave of exploitation starting early April)

Federal agencies are required to patch KEV entries within specific timelines (usually 14-21 days depending on severity). Private sector should match that pace. KEV entries mean active exploitation in the wild.

#Patch priority order for Node.js shops

Based on what we see in active environments, the 2026 patching priority order:

1. CVE-2026-21713 HMAC timing attack. If you use Node crypto for signature verification anywhere, this is an auth bypass
2. CVE-2026-21716 querystring prototype pollution. Becomes RCE in downstream code
3. CVE-2026-46815 Next.js Server Action bypass. Critical for apps using Server Actions for privileged ops
4. CVE-2026-46814 Next.js Image SSRF. Cloud credentials at risk via IMDS
5. CVE-2026-46813 Next.js middleware bypass. Auth bypass for protected pages
6. CVE-2026-21717 V8 HashDoS. Single-request event loop exhaustion
7. CVE-2026-21714 HTTP/2 memory leak. Resource exhaustion
8. Everything else

#Detection signals for pre-patch exploitation

If you suspect exploitation before patching, check for:

#Prototype pollution

• Look in logs for request bodies or query strings containing __proto__ or constructor.prototype
• Search audit logs for unexpected privilege grants on user accounts in the last 30 days
• Grep application logs for isAdmin: true values appearing on unexpected user records

#Next.js middleware bypass

• Access log review: requests to auth-required pages with 200 responses but no preceding login event for the session
• Compare HTTP referer patterns against the normal auth-protected page flow

#HMAC timing attack

• Elevated 401/403 rate from a single source IP followed by 200s
• Token use with unexpected format or origin

#SSRF via Next.js Image

• Outbound requests from Next.js servers to 169.254.169.254 (AWS IMDS), 100.100.100.200 (Alibaba), or internal 10.x / 172.16-31.x / 192.168.x addresses
• Metadata in the /_next/image logs with url= parameters pointing to non-public destinations

#HTTP/2 resource exhaustion

• Process memory growth correlated with HTTP/2 traffic
• OOM kills on Node.js processes serving HTTP/2

#What we test during Node.js engagement

Our engagements for Node.js-heavy shops cover:

1. Node.js runtime version across the fleet (inventory + CVE match)
2. Fastify / Express / Next.js version coverage
3. Dependency audit for known-vulnerable packages
4. SSRF testing for image optimization and similar endpoints
5. Middleware bypass testing (the CVE-2025-29927 / CVE-2026-46813 class)
6. Authentication bypass testing for JWT-based APIs
7. Prototype pollution probe across request surfaces
8. Server Action authorization testing (Next.js specific)
9. WAF and rate limit effectiveness against known exploit classes
10. Log ingestion and SIEM coverage for the above detection signals

Typical engagement: 2-4 weeks for a Node.js-focused organization.

#Resources

• Node.js security releases: https://nodejs.org/en/blog/
• Fastify security advisories: https://github.com/fastify/fastify/security/advisories
• Next.js security: https://nextjs.org/docs/app/building-your-application/security
• CISA Known Exploited Vulnerabilities catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• MITRE CVE search: https://cve.mitre.org/

#Hire Valtik Studios

Node.js security engagements are a specialty area. We track the attack surface across versions, frameworks, and common library combinations. If you run Node.js in production and haven't patched through April 2026 security releases, the detection signals above are your first investigation steps. If you need an audit that specifically targets the current CVE class, we handle that.

Reach us at valtikstudios.com.