The Node.js project has issued critical security updates across its 22.x, 24.x, and 26.x release lines, addressing 12 vulnerabilities, including two high-severity flaws that could enable TLS authentication bypass and trigger remote process crashes.
Released on June 18, 2026, the patches are available as v22.23.0, v24.17.0, and v26.3.1, and users on any supported version are urged to upgrade immediately.
Node.js Patches 12 Vulnerabilities
The most critical vulnerability, CVE-2026-48933, targets the Node.js WebCrypto implementation. An integer overflow occurs when subtle.encrypt() receives input sized at a multiple of 2GiB, triggering a remote process abort across all supported release lines.
This creates a Denial-of-Service (DoS) condition that poses significant risk within cryptographic processing pipelines. The flaw was reported by Erich and patched by Filip Skokan.
The second high-severity issue, CVE-2026-48618, exposes a TLS authentication bypass caused by mishandling of the Unicode dot separator.
A mismatch between resolver and verifier hostname normalization logic allows attackers to bypass TLS wildcard-depth certificate validation, potentially compromising confidentiality and circumventing security boundaries entirely.
Three medium-severity CVEs further highlight what appears to be focused research into Node.js’s certificate validation logic:
- CVE-2026-48928 — Case-sensitive SNI matching enables mTLS authorization bypass in multi-context setups via uppercase hostname manipulation
- CVE-2026-48930 — Embedded null bytes in hostnames cause silent authority rebinding through C-string truncation in resolver bindings
- CVE-2026-48934 — TLS session reuse with a different
servernamebypasses host identity verification, enabling unauthorized connections
All three affect Node.js 22, 24, and 26. They were reported by tmeletlidis and 3d7omb, with fixes contributed by Matteo Collina.
Two medium-severity HTTP/2 flaws round out the server-side risk profile. CVE-2026-48619 allows a malicious server to flood HTTP/2 clients with unlimited ORIGIN frames, triggering out-of-memory conditions and a client-side resource exhaustion attack.
CVE-2026-48937, affecting Node.js 22 and 24, causes HTTP/2 servers to continue accepting data even after sending a GOAWAY frame, preventing proper session cleanup.
CVE-2026-48615 (medium) exposes proxy credentials embedded in proxy URLs through ERR_PROXY_TUNNEL error messages, making them susceptible to capture via logs or diagnostics tools.
Four low-severity flaws, CVE-2026-48617, CVE-2026-48935, CVE-2026-48936, and CVE-2026-4893, expose Permission Model bypasses that allow unauthorized filesystem writes, network socket creation, and HTTP response queue poisoning through a TOCTOU race condition in http.Agent.
Patched Versions and Dependency Upgrades
| Release Line | Patched Version |
|---|---|
| Node.js 22.x | v22.23.0 |
| Node.js 24.x | v24.17.0 |
| Node.js 26.x | v26.3.1 |
Alongside CVE fixes, this release bundles critical dependency upgrades including llhttp 9.4.2, nghttp2 1.69.0, OpenSSL 3.5.7, and version-specific undici updates. All end-of-life Node.js versions remain unpatched and should be treated as vulnerable.
Organizations should prioritize upgrading immediately and auditing proxy configurations, TLS hostname validation logic, and HTTP/2 server implementations for exposure.
No Comment! Be the first one.