A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue.
This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped. With a CVSS score of 7.5, the risk to organizations includes potential denial of service conditions that could disrupt services and lead to resource exhaustion.
Organizations should prioritize patching immediately. The vulnerability has been analyzed and identified as a high severity issue, necessitating swift remediation efforts to mitigate any potential impact.
Security teams should be aware that this vulnerability does not currently have any known exploits or public proofs of concept available, but its exploitability is considered high. Therefore, proactive measures for patch management and security auditing are essential.
The publication date for this vulnerability is January 20, 2026, and organizations using vulnerable versions of Node.js should take immediate steps to assess their exposure.
Vulnerability Details
The vulnerability allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. This vulnerability is classified under CWE-400: Uncontrolled Resource Consumption, indicating a potential denial of service issue.
Affected versions of Node.js include those between 4.0.0 and 20.20.0, 22.0.0 and 22.22.0, 24.0.0 and 24.13.0, and 25.0.0 and 25.3.0. Organizations should verify their version and apply necessary updates.
Technical Analysis
The root cause of this vulnerability lies in the improper handling of synchronous exceptions during the TLS handshake callbacks. Attackers may leverage this flaw by sending specially crafted requests that result in either immediate termination of the Node.js process or silent resource leaks.
The attack vector is network-based, requiring no privileges or user interaction to exploit. The attack complexity is low, making it easier for attackers to execute an attack successfully. The availability impact is rated as high, indicating a significant risk of service disruption.
Risk & Impact Analysis
Real-world deployment risk includes potential service outages and resource exhaustion for organizations relying on Node.js for TLS communications. This vulnerability's impact can lead to significant downtime and loss of revenue, as well as damage to organizational reputation.
Organizations should assess the blast radius of this vulnerability, particularly those utilizing Node.js in production environments. The urgency assessment based on CVSS indicates that organizations should address this vulnerability in their priority patch cycle.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
Affected versions include Node.js versions between 4.0.0 and 20.20.0, 22.0.0 and 22.22.0, 24.0.0 and 24.13.0, and 25.0.0 and 25.3.0. Organizations are advised to review their Node.js installations and apply patches as necessary.
Mitigation & Remediation
Organizations should prioritize patching for Node.js to address this vulnerability. It is essential to upgrade to the latest version that includes the fix for this issue. If patching is not immediately feasible, consider implementing network controls to restrict access to TLS servers.
For continuous security testing, organizations can validate remediation through continuous penetration testing to ensure that similar vulnerabilities are not present.
Detection Guidance
Organizations should monitor logs for indicators of abnormal TLS handshake failures and errors related to the `pskCallback` and `ALPNCallback`. Additionally, behavioral anomalies, such as unexpected service restarts or resource exhaustion, should be investigated.
AppSecure Threat Intelligence Insight
This vulnerability represents a critical area of concern for organizations using Node.js. It highlights the need for robust error handling and validation of inputs during TLS handshakes. Security teams can learn from this incident to improve their application security practices.
To strengthen defenses against similar vulnerabilities, organizations are encouraged to implement a penetration testing methodology in their development lifecycle.
Furthermore, leveraging a comprehensive vulnerability management program will assist in identifying and remediating risks proactively.
Finally, organizations should consider the importance of API security testing as part of their overall security strategy.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)