Critical Security Update: Node.js Patches 12 Vulnerabilities Including High-Severity DoS and Authentication Bypasses
The Node.js security team has released a vital set of patches addressing 12 distinct vulnerabilities across all currently supported release lines. These updates, officially published on June 18, 2026, target significant flaws that could compromise both service availability and data integrity. Developers and DevOps engineers are urged to transition to the patched versions immediately: v22.23.0, v24.17.0, and v26.3.1.
Deep Dive: High-Severity Vulnerabilities
Among the most pressing issues is CVE-2026-48933, which targets the WebCrypto API. A technical flaw in the subtle.encrypt() function allows for an integer overflow when processing inputs that are multiples of 2 GiB. In a production environment, an attacker could exploit this to trigger a process crash, resulting in a remote Denial-of-Service (DoS) condition. This is a critical concern for any application performing cryptographic operations on untrusted user data.
Furthermore, CVE-2026-48618 presents a sophisticated threat to TLS handshake security. The vulnerability stems from improper handling of Unicode dot separators during hostname verification. This logic error can lead to a discrepancy between the resolved hostname and the actual certificate validation, effectively allowing attackers to bypass TLS wildcard authentication. Such a bypass could facilitate man-in-the-middle (MITM) attacks, compromising the confidentiality of encrypted streams.
Medium-Severity Exploits: Memory and Session Management
The update also addresses several medium-severity risks that impact the stability and privacy of network communications:
- HTTP/2 Resource Exhaustion (CVE-2026-48619): Attackers can exploit
node:http2clients by flooding them with excessive ORIGIN frames, leading to unbounded memory consumption and eventual service disruption. - TLS Session Reuse Flaws (CVE-2026-48934): A vulnerability in host identity verification allows for potential bypasses when reusing TLS sessions with mismatched server names.
- Credential Exposure (CVE-2026-48615): A security regression in proxy tunneling could leak sensitive credentials via
ERR_PROXY_TUNNELerror messages, making them visible in diagnostic logs. - Hostname Rebinding (CVE-2026-48930): The presence of embedded NUL characters in hostnames can cause silent authority rebinding due to C-string truncation during the resolution process.
Low-Severity Fixes and Permission Model Hardening
While categorized as low severity, several flaws affect the Node.js Permission Model and internal API integrity. These include CVE-2026-48617 and CVE-2026-48935, which involve path misvalidation and FileHandle.utimes() bypasses, respectively. Additionally, CVE-2026-48936 addresses an incomplete fix regarding Unix domain socket restrictions in Node.js 26. While these require specific conditions to exploit, they could serve as vital links in a complex, chained attack vector.
Vulnerability Summary Table
| CVE ID | Description | Severity | Affected Releases |
|---|---|---|---|
| CVE-2026-48933 | WebCrypto AES integer overflow (Remote DoS) | High | 22, 24, 26 |
| CVE-2026-48618 | TLS wildcard-depth authentication bypass | High | 22, 24, 26 |
| CVE-2026-48615 | Proxy credentials leaked in error messages | Medium | 22, 24, 26 |
| CVE-2026-48619 | Unbounded memory growth in HTTP/2 clients | Medium | 22, 24, 26 |
| CVE-2026-48934 | TLS host identity verification bypass | Medium | 22, 24, 26 |
| CVE-2026-48937 | HTTP/2 session cleanup failure (GOAWAY) | Medium | 22, 24 |
| CVE-2026-48928 | mTLS authorization bypass (SNI case-sensitivity) | Medium | 22, 24, 26 |
| CVE-2026-48930 | Silent authority rebinding (NUL hostnames) | Medium | 22, 24, 26 |
| CVE-2026-48617 | Permission model bypass (process.report) | Low | 22, 24, 26 |
| CVE-2026-48935 | Permission model bypass (FileHandle.utimes) | Low | 22, 24, 26 |
| CVE-2026-48936 | Unix domain socket permission bypass | Low | 26 Only |
| CVE-2026-48931 | HTTP response queue poisoning (Race condition) | Low | 22, 24, 26 |
Dependency Updates and Recommendations
In addition to the direct vulnerability patches, this release includes critical updates to several core upstream dependencies to ensure runtime stability: llhttp (9.4.2), nghttp2 (1.69.0), OpenSSL (3.5.7), and undici.
Action Required: It is strongly recommend that all administrators audit their environments and upgrade to the latest patched versions immediately. Please note that organizations running End-of-Life (EOL) versions of Node.js are not protected by these updates and remain highly vulnerable to these exploits.