Node.js Fixes 12 Vulnerabilities, Including 2 High-Severity
Node.js has released security updates patching 12 vulnerabilities across its supported release lines. These updates include fixes for two high-severity flaws, which could lead to authentication...
Node.js has released security updates patching 12 vulnerabilities across its supported release lines. These updates include fixes for two high-severity flaws, which could lead to authentication bypass and denial-of-service (DoS) attacks.
The updates impact Node.js versions 22.x, 24.x, and 26.x, with patched releases now available as of June 18, 2026. The most critical issue, tracked as CVE-2026-48618, involves improper handling of Unicode dot separators in TLS hostname verification.
This flaw creates a mismatch between how hostnames are normalized by the resolver and verifier, potentially allowing attackers to bypass TLS wildcard-based authentication.
Under certain configurations, this could enable unauthorized access or compromise the confidentiality of secure communications, making it particularly dangerous for applications relying on strict certificate validation.
Another high-severity vulnerability, CVE-2026-48933, affects the WebCrypto API in Node.js. The issue stems from an integer overflow condition triggered when the input to the subtle.encrypt() function is a multiple of 2 GiB.
Node.js Patches Vulnerabilities
Successful exploitation can cause a remote process crash, leading to denial-of-service conditions in affected applications. This flaw highlights risks in cryptographic implementations when handling large or malformed inputs.
One notable flaw, CVE-2026-48934, allows TLS host identity verification to be bypassed via session reuse with a different server name. This could result in unauthorized connections if session parameters are improperly reused.
The 12 vulnerabilities addressed by Node.js are:
Another issue, CVE-2026-48928, involves case-sensitive hostname matching in SNI contexts, potentially enabling mutual TLS (mTLS) authorization bypass in multi-context deployments.
Node.js also fixed CVE-2026-48930, in which embedded null bytes in hostnames could lead to silent authority rebinding due to resolver truncation issues.
Additionally, CVE-2026-48619 exposes HTTP/2 clients to unbounded memory growth when processing attacker-controlled ORIGIN frames, potentially causing resource exhaustion.
A separate medium-severity issue, CVE-2026-48615, could leak proxy credentials through error messages when using proxy tunnels.
If credentials are embedded in proxy URLs, they may be exposed via logs or diagnostic outputs, increasing the risk of credential compromise.
Lower-severity flaws include multiple permission model bypasses, such as CVE-2026-48617 and CVE-2026-48935, that allow unintended access to restricted file paths or the modification of metadata.
Another issue, CVE-2026-48936, enables Unix domain socket servers to bypass network permission restrictions under specific conditions.
Additionally, a race condition in the HTTP agent (CVE-2026-48931) could allow response queue poisoning, where a client accepts responses before sending requests.
| CVE ID | Title | Severity | Affected Release Lines |
|---|---|---|---|
| CVE-2026-48933 | WebCrypto AES Integer Overflow — Remote Process Abort (DoS) | High | 22.x, 24.x, 26.x |
| CVE-2026-48618 | Unicode Dot Separator TLS Wildcard-Depth Authentication Bypass | High | 22.x, 24.x, 26.x |
| CVE-2026-48615 | Proxy Credentials Leaked in ERR_PROXY_TUNNEL Error Message | Medium | 22.x, 24.x, 26.x |
| CVE-2026-48619 | Unbounded Memory Growth via Attacker-Controlled HTTP/2 ORIGIN Frames | Medium | 22.x, 24.x, 26.x |
| CVE-2026-48937 | HTTP/2 Sessions Fail to Clean Up After GOAWAY on Invalid Protocol Errors | Medium | 22.x, 24.x |
| CVE-2026-48928 | Uppercase SNI Context Matching Leads to mTLS Authorization Bypass | Medium | 22.x, 24.x, 26.x |
| CVE-2026-48930 | Embedded-NUL Hostnames Cause Silent Authority Rebinding (C-String Truncation) | Medium | 22.x, 24.x, 26.x |
| CVE-2026-48934 | TLS Host Identity Verification Bypass via Session Reuse with Different Servername | Medium | 22.x, 24.x, 26.x |
| CVE-2026-48617 | Permission Model Bypass via process.report.writeReport() Path Misvalidation | Low | 22.x, 24.x, 26.x |
| CVE-2026-48935 | Permission Model Bypass via FileHandle.utimes() in Promises API | Low | 22.x, 24.x, 26.x |
| CVE-2026-48936 | Unix Domain Socket Server Bypasses –permission Network Restrictions (Incomplete CVE-2026-21636 Fix) | Low | 26.x only |
| CVE-2026-48931 | HTTP Response Queue Poisoning via TOCTOU Race Condition in http.Agent | Low | 22.x, 24.x, 26.x |
The release also includes important dependency updates to mitigate known vulnerabilities in third-party components.
Updated packages include llhttp 9.4.2, nghttp2 1.69.0, OpenSSL 3.5.7, and multiple versions of the undici HTTP client across different release lines.
Security experts strongly recommend upgrading to the latest patched versions, including Node.js v22.23.0, v24.17.0, and v26.3.1, to mitigate these risks.
As with previous releases, end-of-life versions remain vulnerable and should not be used in production environments.
This update underscores the importance of maintaining up-to-date runtime environments, especially for widely deployed platforms like Node.js that form the backbone of modern web applications and APIs.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.