Thursday, June 18, 2026 Security Releases

Dependency Updates

This security release includes the following dependency updates to address public vulnerabilities:

• llhttp (9.4.2) on all release lines
• nghttp2 (1.69.0) on all release lines
• openssl (3.5.7) on all release lines
• undici (8.5.0) on 26.3.1
• undici (7.28.0) on 24.17.0
• undici (6.27.0) on 22.23.0

Vulnerabilities Fixed

Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort (DoS) (CVE-2026-48933) - HIGH

A flaw in Node.js WebCrypto implementation can crash the process if the input of subtle.encrypt() is a multiple of 2GiB. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you to erichen for reporting this vulnerability and thank you Filip Skokan for fixing it.

Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismatch (CVE-2026-48618) - HIGH

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling to lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismatch. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you to tmeletlidis for reporting this vulnerability and thank you Matteo Collina for fixing it.

Proxy credentials leaked in ERR_PROXY_TUNNEL error message (CVE-2026-48615) - MEDIUM

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in ERR_PROXY_TUNNEL error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you to nssys for reporting this vulnerability and thank you Matteo Collina for fixing it.

Permission Model Bypass via process.report.writeReport() Path Misvalidation (CVE-2026-48617) - LOW

A flaw in Node.js Permission Model enforcement allows bypass via process.report.writeReport() path misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you to suul for reporting this vulnerability and thank you RafaelGSS for fixing it.

Unbounded memory growth in node:http2 clients via attacker-controlled ORIGIN frames (CVE-2026-48619) - MEDIUM

A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you to kingsd for reporting this vulnerability and thank you Matteo Collina for fixing it.

HTTP/2 sessions never clean up after GOAWAY on invalid protocol errors (CVE-2026-48937) - MEDIUM

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affects two supported release lines: Node.js 22 and Node.js 24.

Thank you to Tim Perry for reporting this vulnerability and for fixing it.

Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching (CVE-2026-48928) - MEDIUM

An inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you to tmeletlidis for reporting this vulnerability and thank you Matteo Collina for fixing it.

Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings (CVE-2026-48930) - MEDIUM

A flaw in Node.js TLS hostname handling can cause embedded-nul hostnames to lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you to tmeletlidis for reporting this vulnerability and thank you Matteo Collina for fixing it.

TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections (CVE-2026-48934) - MEDIUM

A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you to 3d7omb for reporting this vulnerability and thank you Matteo Collina for fixing it.

Permission Model bypass via FileHandle.utimes() in the promises API (CVE-2026-48935) - LOW

A flaw in Node.js Permission API can cause file metadata to be modified even on a path that was set as read-only with e.g. --allow-fs-read. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you to muhammaddaffa for reporting this vulnerability and thank you RafaelGSS for fixing it.

Unix domain socket server bypasses --permission network restrictions (incomplete CVE-2026-21636 fix) (CVE-2026-48936) - LOW

A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the --allow-net permission. This vulnerability affects one supported release line: Node.js 26.

Thank you to cyberjoker for reporting this vulnerability and thank you RafaelGSS for fixing it.

HTTP Response Queue Poisoning via TOCTOU Race Condition in http.Agent (CVE-2026-48931) - LOW

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is sent before the client has sent the request. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you to yushengchen for reporting this vulnerability and thank you Matteo Collina for fixing it.

Impact

The highest severity issue fixed in the 26.x release line is HIGH.
The highest severity issue fixed in the 24.x release line is HIGH.
The highest severity issue fixed in the 22.x release line is HIGH.

It's important to note that End-of-Life versions are always affected when a security release occurs. To ensure your system's security, please use an up-to-date version as outlined in our Release Schedule.

Release Timing

Releases are available as of Thursday, June 18, 2026.

Contact and Future Updates

The current Node.js security policy can be found at https://nodejs.org/en/security/. Please follow the process outlined in https://github.com/nodejs/node/blob/master/SECURITY.md if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.