Thursday, June 18, 2026 Security Releases

Source: Node.js Blog

The Node.js Project

(UPDATE 2026-06-18) Security releases available

Updates are now available for the 26.x, 24.x, 22.x Node.js release lines for the following issues.

This security release includes the following dependency updates to address public vulnerabilities:

• llhttp (9.4.2) on all release lines

• nghttp2 (1.69.0) on all release lines

• openssl (3.5.7) on all release lines

• undici (8.5.0) on 26.3.1

• undici (7.28.0) on 24.17.0

• undici (6.27.0) on 22.23.0

Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort (DoS) (CVE-2026-48933) - (high)

A flaw in Node.js WebCrypto implementation can crash the process if the input of subtle.encrypt() is a multiple of 2GiB.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you, to erichen for reporting this vulnerability and thank you Filip Skokan for fixing it.

Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat (CVE-2026-48618) - (high)

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.

This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you, to tmeletlidis for reporting this vulnerability and thank you Matteo Collina for fixing it.

Proxy credentials leaked in ERR_PROXY_TUNNEL error message (CVE-2026-48615) - (medium)

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in ERR_PROXY_TUNNEL error messages.

When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you, to nssys for reporting this vulnerability and thank you Matteo Collina for fixing it.

Permission Model Bypass via process.report.writeReport() Path Misvalidation (CVE-2026-48617) - (low)

A flaw in Node.js Permission Model enforcement allows Bypass via process.report.writeReport() Path Misvalidation.

This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you, to suul for reporting this vulnerability and thank you RafaelGSS for fixing it.

Unbounded memory growth in node:http2 clients via attacker-controlled ORIGIN frames (CVE-2026-48619) - (medium)

A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you, to kingsd for reporting this vulnerability and thank you Matteo Collina for fixing it.

HTTP/2 sessions never clean up after GOAWAY on invalid protocol errors (CVE-2026-48937) - (medium)

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame.

This vulnerability affects two supported release lines: Node.js 22 and Node.js 24.

Thank you, Tim Perry, for reporting this vulnerability and for fixing it.

Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching (CVE-2026-48928) - (medium)

A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you, to tmeletlidis for reporting this vulnerability and thank you Matteo Collina for fixing it.

Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings (CVE-2026-48930) - (medium)

A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you, to tmeletlidis for reporting this vulnerability and thank you Matteo Collina for fixing it.

TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections (CVE-2026-48934) - (medium)

A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you, to 3d7omb for reporting this vulnerability and thank you Matteo Collina for fixing it.

Permission Model bypass via FileHandle.utimes() in the promises API (CVE-2026-48935) - (low)

A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. --allow-fs-read.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you, to muhammaddaffa for reporting this vulnerability and thank you RafaelGSS for fixing it.

Unix domain socket server bypasses —permission network restrictions (incomplete CVE-2026-21636 fix) (CVE-2026-48936) - (low)

A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the --allow-net permission.

This vulnerability affects one supported release line: Node.js 26.

Thank you, to cyberjoker for reporting this vulnerability and thank you RafaelGSS for fixing it.

HTTP Response Queue Poisoning via TOCTOU Race Condition in http.Agent (CVE-2026-48931) - (low)

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Thank you, to yushengchen for reporting this vulnerability and thank you Matteo Collina for fixing it.

Downloads and release details

• Node.js v22.23.1

• Node.js v24.17.1

• Node.js v26.3.2

Summary

The Node.js project will release new versions of the 26.x, 24.x, 22.x releases lines on or shortly after, Wednesday, June 17, 2026 in order to address one or more security issues, the highest severity is HIGH.

Impact

The highest severity issue fixed in the 26.x release line is HIGH. The highest severity issue fixed in the 24.x release line is HIGH. The highest severity issue fixed in the 22.x release line is HIGH. It’s important to note that End-of-Life versions are always affected when a security release occurs. To ensure your system’s security, please use an up-to-date version as outlined in our Release Schedule.

Release timing

Releases are available as of Thursday, June 18, 2026.

The current Node.js security policy can be found at https://nodejs.org/en/security/. Please follow the process outlined in https://github.com/nodejs/node/blob/master/SECURITY.md if you wish to report a vulnerability in Node.js. Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.