projects / nodejs.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 13f31e4) | patch
tls: route callback exceptions through error handlers
authorMatteo Collina <hello@matteocollina.com>
Mon, 22 Dec 2025 17:25:33 +0000 (18:25 +0100)
committerBastien Roucariès <rouca@debian.org>
Mon, 6 Apr 2026 14:18:52 +0000 (16:18 +0200)
commite71906e5f437ee99b0a9b2a19c7c57b2d22084bb
treea145bb123a4a8374e7c3e00bd7258bea465e7ecdtree | snapshot
parent13f31e41787c00adde37f709cbbf676e37a2688bcommit | diff
tls: route callback exceptions through error handlers

Wrap pskCallback and ALPNCallback invocations in try-catch blocks
to route exceptions through owner.destroy() instead of letting them
become uncaught exceptions. This prevents remote attackers from
crashing TLS servers or causing resource exhaustion.

Fixes: https://hackerone.com/reports/3473882
PR-URL: https://github.com/nodejs-private/node-private/pull/782
PR-URL: https://github.com/nodejs-private/node-private/pull/796
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2026-21637

origin: backport, https://github.com/nodejs/node/commit/85f73e7057e9badf6e7713f7440769375cdb5df5

Gbp-Pq: Name CVE-2026-21637.patch
lib/_tls_wrap.js diff | blob | history
test/parallel/test-tls-alpn-server-client.js diff | blob | history
test/parallel/test-tls-psk-alpn-callback-exception-handling.js [new file with mode: 0644] blob
Unnamed repository; edit this file 'description' to name the repository.