Node.js has recently issued security updates to address 12 vulnerabilities across its 22.x, 24.x, and 26.x release lines. These updates, released on June 18, 2026, include fixes for two high-severity flaws that could lead to authentication bypasses and denial-of-service (DoS) attacks.
High-Severity Vulnerabilities
The most critical issue, identified as CVE-2026-48618, involves improper handling of Unicode dot separators in TLS hostname verification. This flaw creates a mismatch between how hostnames are normalized by the resolver and verifier, potentially allowing attackers to bypass TLS wildcard-based authentication. Under certain configurations, this could enable unauthorized access or compromise the confidentiality of secure communications, posing significant risks for applications relying on strict certificate validation.
Another high-severity vulnerability, CVE-2026-48933, affects the WebCrypto API in Node.js. The issue arises from an integer overflow condition triggered when the input to the subtle.encrypt() function is a multiple of 2 GiB. Successful exploitation can cause a remote process crash, leading to denial-of-service conditions in affected applications. This flaw underscores the importance of robust input validation in cryptographic implementations, especially when handling large or malformed inputs.
Additional Vulnerabilities Addressed
Beyond these high-severity issues, the updates also address several medium and low-severity vulnerabilities:
- CVE-2026-48934: Allows TLS host identity verification to be bypassed via session reuse with a different server name, potentially resulting in unauthorized connections if session parameters are improperly reused.
- CVE-2026-48928: Involves case-sensitive hostname matching in SNI contexts, which could enable mutual TLS (mTLS) authorization bypass in multi-context deployments.
- CVE-2026-48930: Embedded null bytes in hostnames could lead to silent authority rebinding due to resolver truncation issues.
- CVE-2026-48619: Exposes HTTP/2 clients to unbounded memory growth when processing attacker-controlled ORIGIN frames, potentially causing resource exhaustion.
- CVE-2026-48615: Could leak proxy credentials through error messages when using proxy tunnels. If credentials are embedded in proxy URLs, they may be exposed via logs or diagnostic outputs, increasing the risk of credential compromise.
- CVE-2026-48617 and CVE-2026-48935: Multiple permission model bypasses that allow unintended access to restricted file paths or the modification of metadata.
- CVE-2026-48936: Enables Unix domain socket servers to bypass network permission restrictions under specific conditions.
- CVE-2026-48931: A race condition in the HTTP agent could allow response queue poisoning, where a client accepts responses before sending requests.
These vulnerabilities highlight the importance of regular updates and vigilant security practices in maintaining the integrity and reliability of Node.js applications. Developers and system administrators are strongly encouraged to apply these patches promptly to mitigate potential risks associated with these flaws.
As the Node.js ecosystem continues to evolve, staying informed about security updates and understanding the implications of identified vulnerabilities are crucial steps in safeguarding applications against emerging threats.
