The Node.js Project dropped a critical security update on Thursday, June 18, 2026, releasing patched versions for all three active release lines, Node.js 22.23.0, 24.17.0, and 26.3.1, to address 11 vulnerabilities ranging from low to high severity.
The release also bundles important dependency updates for llhttp, nghttp2, OpenSSL, and Undici, making this one of the most comprehensive Node.js security patches in recent months. Any developer or organization running Node.js in production environments should treat this update as urgent.
The most critical issues in this release are two high-severity vulnerabilities that affect all supported release lines.
CVE-2026-48933 targets Node.js’s WebCrypto implementation, where a flaw in the subtle.encrypt() function can cause a remote process abort (DoS) when the input size is a multiple of 2GiB.
An integer overflow in the AES processing path triggers a crash, meaning any attacker who can influence cryptographic input, particularly in public-facing APIs, can bring down a Node.js process entirely. Filip Skokan delivered the fix, credited to reporter Erich.
CVE-2026-48618 is arguably more dangerous from a network security standpoint. A Unicode dot-separator handling flaw in Node.js’s TLS implementation allows attackers to bypass wildcard-depth TLS authentication by exploiting a mismatch between how the hostname resolver and the hostname verifier normalize hostnames.
Under affected configurations, this can lead to confidentiality breaches or unauthorized TLS connections slipping past authentication controls. Both vulnerabilities were confirmed across Node.js 22, 24, and 26.
Five medium-severity CVEs round out the more serious concerns in this release.
- CVE-2026-48615 — Proxy credentials embedded in proxy URLs can leak through
ERR_PROXY_TUNNELerror messages, potentially exposing sensitive authentication data in application logs or diagnostics. Affects all release lines. - CVE-2026-48619 — An HTTP/2 client flaw allows a malicious server to send an unlimited number of ORIGIN frames, leading to unbounded memory growth and eventual out-of-memory crashes on the client side.
- CVE-2026-48937 — HTTP/2 sessions fail to clean up after receiving a GOAWAY frame on invalid protocol errors, causing servers to keep accepting data indefinitely. This affects Node.js 22 and 24 only.
- CVE-2026-48928 — Case-sensitive SNI context matching allows mTLS authorization bypass in multi-context setups when hostnames contain uppercase characters, potentially routing connections to the wrong TLS context.
- CVE-2026-48934 — TLS session reuse with a different
servernamecan bypass certificate host identity verification, enabling unauthorized connections without triggering a certificate validation error. - CVE-2026-48930 — Embedded null bytes in hostnames cause silent authority rebinding due to C-string truncation in resolver bindings, allowing hostname spoofing at the resolver level.
The TLS cluster (CVE-2026-48618, 48928, 48930, 48934) collectively poses a serious threat to applications that rely on Node.js for mutual TLS authentication, API gateway security, or encrypted microservice communication.
Four lower-severity vulnerabilities address gaps in Node.js’s Permission Model, which was introduced to restrict filesystem and network access in sandboxed environments.
- CVE-2026-48617 —
process.report.writeReport()path misvalidation allows writing diagnostic reports to paths outside the permitted scope, bypassing the intended security boundary. - CVE-2026-48935 —
FileHandle.utimes()in the promises API allows modifying file metadata on read-only paths, even when protected by--allow-fs-read. - CVE-2026-48936 — An incomplete fix for CVE-2026-21636 allows Unix domain socket servers to start without
--allow-netpermission. This one exclusively affects Node.js 26. - CVE-2026-48931 — A TOCTOU race condition in
http.Agentenables HTTP response queue poisoning, where a client can accept a response delivered before it has sent its corresponding request.
Alongside the CVE fixes, the Node.js project updated several core dependencies across all release lines:
- llhttp 9.4.2 — HTTP parser updates across all lines
- nghttp2 1.69.0 — HTTP/2 library updates across all lines
- OpenSSL 3.5.7 — Cryptographic library updates across all lines
- Undici 8.5.0 (Node.js 26.3.1), 7.28.0 (24.17.0), 6.27.0 (22.23.0) HTTP client updates per release line
These dependency bumps address public vulnerabilities in upstream libraries and should be factored into any dependency-auditing workflows.
All three updated versions are available immediately from the official Node.js download page. The Node.js project strongly advises moving to:
- Node.js 22.23.0 for LTS 22 users
- Node.js 24.17.0 for LTS 24 users
- Node.js 26.3.1 for Current 26 users
Organizations still running End-of-Life Node.js versions (anything below v22) should treat this as a forcing function to upgrade immediately, as EOL releases are always considered affected by security releases and receive no official patches.
Frequently Asked Questions
Q: Which Node.js versions are affected by these June 2026 vulnerabilities?
All actively supported release lines Node.js 22, 24, and 26 are affected, with End-of-Life versions also considered vulnerable but unsupported.
Q: What is the highest severity CVE in this Node.js security release?
CVE-2026-48933 and CVE-2026-48618 are both rated HIGH and cover WebCrypto DoS and TLS authentication bypass, respectively.
Q: How do the TLS vulnerabilities (CVE-2026-48618, 48928, 48934) impact production applications?
They can allow attackers to bypass hostname verification and mTLS authentication controls, enabling unauthorized or misdirected encrypted connections.
Q: Where can developers download the patched Node.js versions?
Updated binaries for v22.23.0, v24.17.0, and v26.3.1 are available directly at nodejs.org/en/download.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
