Node.js Patches 12 Vulnerabilities, Including Two High-Severity Authentication Bypass Flaws
Node.js released security updates fixing 12 vulnerabilities across versions 22.x, 24.x, and 26.x, including two high-severity authentication bypass flaws and multiple denial-of-service bugs.
Node.js released a batch of security updates on June 18, 2026, addressing 12 vulnerabilities across its supported release lines, including two high-severity flaws that could allow attackers to bypass TLS authentication or crash remote processes. The updates affect Node.js versions 22.x, 24.x, and 26.x, with patched releases now available as v22.23.0, v24.17.0, and v26.3.1. Users are strongly advised to upgrade immediately, especially those running production web applications and APIs.
The most critical issue, tracked as CVE-2026-48618, involves improper handling of Unicode dot separators in TLS hostname verification. This flaw creates a mismatch between how hostnames are normalized by the resolver and verifier, potentially allowing attackers to bypass TLS wildcard-based authentication. Under certain configurations, this could enable unauthorized access or compromise the confidentiality of secure communications, making it particularly dangerous for applications relying on strict certificate validation.
Another high-severity vulnerability, CVE-2026-48933, affects the WebCrypto API in Node.js. The issue stems from an integer overflow condition triggered when the input to the subtle.encrypt() function is a multiple of 2 GiB. Successful exploitation can cause a remote process crash, leading to denial-of-service conditions in affected applications. This flaw highlights risks in cryptographic implementations when handling large or malformed inputs.
Among the medium-severity issues, CVE-2026-48934 allows TLS host identity verification to be bypassed via session reuse with a different server name, potentially enabling unauthorized connections if session parameters are improperly reused. Another notable flaw, CVE-2026-48619, exposes HTTP/2 clients to unbounded memory growth when processing attacker-controlled ORIGIN frames, potentially causing resource exhaustion. Additionally, CVE-2026-48615 could leak proxy credentials through error messages when using proxy tunnels, increasing the risk of credential compromise.
Lower-severity flaws include multiple permission model bypasses, such as CVE-2026-48617 and CVE-2026-48935, that allow unintended access to restricted file paths or the modification of metadata. Another issue, CVE-2026-48936, enables Unix domain socket servers to bypass network permission restrictions under specific conditions. A race condition in the HTTP agent (CVE-2026-48931) could allow response queue poisoning, where a client accepts responses before sending requests.
The release also includes important dependency updates to mitigate known vulnerabilities in third-party components. Updated packages include llhttp 9.4.2, nghttp2 1.69.0, OpenSSL 3.5.7, and multiple versions of the undici HTTP client across different release lines. As with previous releases, end-of-life versions remain vulnerable and should not be used in production environments.
This update underscores the importance of maintaining up-to-date runtime environments, especially for widely deployed platforms like Node.js that form the backbone of modern web applications and APIs. Security experts recommend that organizations prioritize patching these vulnerabilities, particularly the high-severity authentication bypass and DoS flaws, to prevent potential exploitation in the wild.