Medium severity5.9NVD Advisory· Published Mar 30, 2026· Updated May 10, 2026
CVE-2026-21713
CVE-2026-21713
Description
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.
Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.
This vulnerability affects 20.x, 22.x, 24.x, and 25.x.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
10- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026
- Anthropic response to 1-click pwn: Shouldn't have clicked 'ok'The Register Security · May 7, 2026
- vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code ExecutionThe Hacker News · May 7, 2026
- Critical vm2 sandbox bug lets attackers execute code on hostsBleepingComputer · May 6, 2026
- Attackers adopt JavaScript runtime Bun to spread NWHStealerMalwarebytes Labs · May 6, 2026
- Making Rust Workers reliable: panic and abort recovery in wasm‑bindgenCloudflare Blog · Apr 22, 2026
- Introducing Flagship: feature flags built for the age of AICloudflare Blog · Apr 17, 2026
- Artifacts: versioned storage that speaks GitCloudflare Blog · Apr 16, 2026
- Iranian MOIS Actors & the Cyber Crime ConnectionCheck Point Research · Mar 10, 2026
- Siemens gWAPCISA Alerts