CVE-2026-21714

MEDIUM 5.3

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

2th

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.

Vendor	nodejs
Product	node
Ecosystems	JavaScript Node.js
Industries	Technology
Published	Mar 30, 2026
Last Updated	Mar 31, 2026

Stay Ahead of the Next One

Get instant alerts for nodejs node

Be the first to know when new medium vulnerabilities affecting nodejs node are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected Versions

nodejs / node

20.20.1 ≤ 20.20.1 22.22.1 ≤ 22.22.1 24.14.0 ≤ 24.14.0 25.8.1 ≤ 25.8.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

nodejs.org: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases