TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak

Bug reported by Max Harari was disclosed at February 12, 2026, 2:42 pm   |   Uncontrolled Resource Consumption

A flaw was discovered in Node.js TLS error handling that allowed remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` were in use. Synchronous exceptions thrown during these callbacks bypassed standard TLS error handling paths, causing either immediate process termination or silent file descriptor leaks that eventually led to denial of service. Because these callbacks processed attacker-controlled input during the TLS handshake, a remote client could repeatedly trigger the issue. The vulnerability affected TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks threw without being safely wrapped.

Node.js permission model bypass via unchecked Unix Domain Socket connections (UDS)

Bug reported by Winfunc was disclosed at February 12, 2026, 2:42 pm   |   Server-Side Request Forgery (SSRF)

A flaw was discovered in Node.js's permission model that allowed Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` was enabled. Even without `--allow-net`, attacker-controlled inputs could connect to arbitrary local sockets via net, tls, or undici/fetch, breaking the intended security boundary of the permission model.

Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers

Bug reported by Aaron Brown was disclosed at February 12, 2026, 2:42 pm   |   Improper Handling of Exceptional Conditions

A vulnerability was identified in Node.js error handling where "Maximum call stack size exceeded" errors became uncatchable when `async_hooks.createHook()` was enabled. Instead of reaching `process.on('uncaughtException')`, the process terminated, making the crash unrecoverable.

Memory leak that enables remote Denial of Service against applications processing TLS client certificates

Bug reported by Anteater was disclosed at February 12, 2026, 2:41 pm   |   Uncontrolled Resource Consumption

A memory leak was discovered in Node.js's OpenSSL integration when converting X.509 certificate fields to UTF-8 without freeing the allocated buffer. The vulnerability was triggered when applications called `socket.getPeerCertificate(true)`, causing steady memory growth through repeated TLS connections.

Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled

Bug reported by Nikita Skovoroda was disclosed at February 12, 2026, 2:41 pm   |   Improper Initialization

A flaw in Node.js's buffer allocation logic was discovered, where buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations under specific timing conditions.

FS Permissions Bypass

Bug reported by Natan Nehorai was disclosed at February 12, 2026, 2:41 pm   |   Violation of Secure Design Principles

A flaw was discovered in Node.js's Permissions model that allowed attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory could escape the allowed path and read sensitive files. This broke the expected isolation guarantees and enabled arbitrary file read/write.

Mail stored HTML injection in subject text

Bug reported by se1en was disclosed at February 12, 2026, 1:52 pm   |  

A vulnerability was discovered in the mail stored HTML injection in subject text. The vulnerability allowed for arbitrary HTML code to be injected into the subject line of emails stored in the system.