The Long-Term Support (LTS) branch was updated to version 20.20.2 on March 24, 2026 This article explores vulnerability affects node. . It fixes seven different security holes that affect core parts like TLS, HTTP/2, V8, and the permission model.

CVE-2026-21637 is the most serious vulnerability. It affects how Node.js handles TLS and is rated High. The patch fixes the problem by putting the SNICallback logic inside a try/catch block. This stops unhandled exceptions from stopping the process.

You can get the patched versions on all major platforms, such as Windows, Linux, macOS, and enterprise architectures, through official Node.js distribution channels.

Security experts strongly recommend that you upgrade to patched versions right away, such as v20.20, v22.22.2, v24.14.1, and v25.8.2. You can find these versions in the Google Play Store and the App Store for Android and iOS. The fix adds clear handling for these error conditions in the HTTP/2 processing layer.

It also fixes CVE-2026-21717, a V8 engine-related security hole that lets HashDoS attacks happen. The problem is that V8 hashes strings that look like integers by turning them into numbers, which makes collisions easy to see. Attackers can cause too many hash collisions by sending specially crafted JSON input. This slows down performance and uses up CPU resources.

The fix shows a timing side-channel vulnerability in HMAC verification in the cryptographic layer.

Using a non-constant-time comparison function (memcmp), which leaks timing information based on the number of bytes that match, is the source of the issue. Applications handling untrusted JSON data are especially affected by this problem.