VYPR
Medium severity5.9NVD Advisory· Published Mar 30, 2026· Updated May 10, 2026

CVE-2026-21713

CVE-2026-21713

Description

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.

Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.

This vulnerability affects 20.x, 22.x, 24.x, and 25.x.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

36

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.