projects / nodejs.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 12c505e) | patch
[PATCH] http: use null prototype for headersDistinct/trailersDistinct
authorMatteo Collina <hello@matteocollina.com>
Thu, 19 Feb 2026 14:49:43 +0000 (15:49 +0100)
committerJérémy Lal <kapouer@melix.org>
Tue, 24 Mar 2026 21:11:25 +0000 (22:11 +0100)
commit1b4c656d49a486d135585748632bba365daead80
tree0a88b5acebe075c02f80001693a3cc18b65a20ectree | snapshot
parent12c505ead92c0cbb2ad3edab0d91d98b6f62a5afcommit | diff
[PATCH] http: use null prototype for headersDistinct/trailersDistinct

Use { __proto__: null } instead of {} when initializing the
headersDistinct and trailersDistinct destination objects.

A plain {} inherits from Object.prototype, so when a __proto__
header is received, dest["__proto__"] resolves to Object.prototype
(truthy), causing _addHeaderLineDistinct to call .push() on it,
which throws an uncaught TypeError and crashes the process.

Ref: https://hackerone.com/reports/3560402
PR-URL: https://github.com/nodejs-private/node-private/pull/821
Refs: https://hackerone.com/reports/3560402
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2026-21710

Gbp-Pq: Topic sec
Gbp-Pq: Name 52-http-use-null-prototype-for-headersDistinct-trailersDistinct.patch
lib/_http_incoming.js diff | blob | history
test/parallel/test-http-headers-distinct-proto.js [new file with mode: 0644] blob
test/parallel/test-http-multiple-headers.js diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.