Critical Denial of Service Vulnerabilities in Node.js 20 Affect Fedora Users

Critical Denial of Service Vulnerabilities in Node.js 20 Affect Fedora Users

First seen 5 May 2026, 09:34 UTC Linuxsecurity 90% similarity 74.0

Article Content

Browse articles
ThreatCluster

Multiple denial of service vulnerabilities have been identified in Node.js version 20, affecting Fedora operating systems. The vulnerabilities include CVE-2026-21717, CVE-2026-21714, CVE-2026-21713, and CVE-2026-21716, all published on March 30, 2026. These vulnerabilities exploit predictable hash collisions, crafted HTTP/2 frames, timing oracle issues, and permission bypasses, posing significant risks to applications using Node.js. Additionally, CVE-2026-1525, CVE-2026-1526, CVE-2026-1528, and CVE-2026-1527, published on March 12, 2026, highlight further denial of service risks via WebSocket frames and HTTP request smuggling. The latest updates to Node.js version 20.20.2 aim to address these issues, but users are urged to apply patches immediately. The vulnerabilities could allow attackers to disrupt services and potentially gain unauthorized access to sensitive data. Users of Fedora 43 and 44 are particularly affected and should prioritize updates.

Key Points: • Multiple critical denial of service vulnerabilities identified in Node.js 20. • Affected systems include Fedora 43 and 44, with urgent patches available. • Exploitation methods include predictable hash collisions and crafted HTTP/2 frames.

ThreatCluster AI

Timeline

2026-03-12
CVE-2026-1525, CVE-2026-1526, CVE-2026-1528 published
2026-03-12
CVE-2026-1527 published
2026-03-12
CVE-2026-2229 published
2026-03-30
CVE-2026-21714, CVE-2026-21713, CVE-2026-21716 published
2026-03-30
CVE-2026-21717 published
2026-05-05
Node.js version 20.20.2 released to address vulnerabilities

Community

Browse all →