CVE-2026-21713

{"id": "CVE-2026-21713", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "support@hackerone.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2026-03-30T20:16:19.397", "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases", "source": "support@hackerone.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-208"}]}], "descriptions": [{"lang": "en", "value": "A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.\r\n\r\nNode.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**."}, {"lang": "es", "value": "Un fallo en la verificaci\u00f3n HMAC de Node.js utiliza una comparaci\u00f3n de tiempo no constante al validar firmas proporcionadas por el usuario, filtrando potencialmente informaci\u00f3n de temporizaci\u00f3n proporcional al n\u00famero de bytes coincidentes. Bajo ciertos modelos de amenaza donde las mediciones de temporizaci\u00f3n de alta resoluci\u00f3n son posibles, este comportamiento podr\u00eda ser explotado como un or\u00e1culo de temporizaci\u00f3n para inferir valores HMAC.\n\nNode.js ya proporciona primitivas de comparaci\u00f3n seguras contra ataques de temporizaci\u00f3n utilizadas en otras partes de la base de c\u00f3digo, lo que indica que esto es un descuido en lugar de una decisi\u00f3n de dise\u00f1o intencional.\n\nEsta vulnerabilidad afecta 20.x, 22.x, 24.x y 25.x."}], "lastModified": "2026-05-10T14:16:47.507", "sourceIdentifier": "support@hackerone.com"}