Node.js June 2026 Security Releases: Critical TLS Authority Rebinding (CVE-2026-48930, CVSS 9.8) and 5 Additional Vulnerabilities

nick

Node.js June 2026 Security Releases: Critical TLS Authority Rebinding (CVE-2026-48930, CVSS 9.8) and 5 Additional Vulnerabilities

by

CVEs: CVE-2026-48930, CVE-2026-48618, CVE-2026-50741, CVE-2026-48933, CVE-2026-48619, CVE-2026-48615 | Highest CVSS: 9.8 (CRITICAL) | Affected: Node.js 22.x, 24.x (all supported release lines) | Vendor: Node.js / OpenJS Foundation

What Is the Vulnerability

Node.js has released its June 2026 security updates addressing 6 vulnerabilities across all supported release lines. The most severe vulnerability is CVE-2026-48930, a critical TLS flaw that enables silent certificate authority rebinding.

CVE-2026-48930 (CVSS 9.8, CRITICAL): TLS Embedded-Nul Hostname Authority Rebinding. Embedded-nul characters in TLS hostnames are handled differently by Node.js’s C-based resolver bindings versus the JavaScript TLS verifier. The C resolver truncates at the nul byte (C-string behavior), while the JavaScript verifier processes the full string. An attacker can present a valid TLS certificate for a benign hostname appearing before the nul byte, while the application connects to a malicious destination specified after the nul. TLS verification passes, but the connection goes to the wrong endpoint — silent MITM without any certificate warning. This affects every Node.js application making TLS connections where hostnames could contain embedded-nul characters, exploitable through attacker-controlled URLs, HTTP redirects, or proxy configurations.

CVE-2026-48618 (CVSS 7.7, HIGH): TLS Unicode Wildcard Bypass. Unicode dot separator handling causes a mismatch between the resolver and verifier hostname normalization, enabling TLS wildcard-depth authentication bypass. An attacker can use Unicode characters that resemble dots to bypass wildcard certificate restrictions.

CVE-2026-50741 (CVSS 8.8, HIGH): Bypass of CVE-2026-34916 Fix. The fix for a previously patched vulnerability can be bypassed by sending a disallowed but valid plugin identifier as the type parameter, or using ox.setChannelTargeting bypass vectors. This demonstrates incomplete remediation of the original flaw.

CVE-2026-48933 (CVSS 7.5): WebCrypto DoS. The subtle.encrypt() function crashes the Node.js process when the input is a multiple of 2 GiB due to an integer overflow.

CVE-2026-48619 (CVSS 7.5): HTTP/2 ORIGIN Frame OOM. An HTTP/2 server can send an unlimited number of ORIGIN frames to a Node.js client, causing out-of-memory termination.

CVE-2026-48615 (CVSS 7.5): Proxy Credential Leak. Proxy credentials are exposed in ERR_PROXY_TUNNEL error messages, potentially leaking authentication tokens to logs, error handlers, and monitoring systems.

Versions Affected

  • Node.js 22.x — all versions prior to the June 2026 security release
  • Node.js 24.x — all versions prior to the June 2026 security release
  • All applications, frameworks, and services running on affected Node.js versions
  • Container images based on affected Node.js versions

Exploited?

No known active exploitation at this time. However, the CVSS 9.8 TLS authority rebinding vulnerability (CVE-2026-48930) is a critical design flaw that should be patched urgently — exploitation scenarios are well-understood and proof-of-concept exploits are likely. The bypass of a prior fix (CVE-2026-50741) indicates active security research attention on Node.js attack surfaces.

Fix

Upgrade to the latest patched Node.js versions immediately. The fix for CVE-2026-48930 addresses the normalization mismatch between the C-based resolver bindings and the JavaScript TLS verifier, ensuring consistent hostname processing.

  • Primary fix: Upgrade Node.js 22.x and 24.x to the latest patched versions per the official security release
  • Containers: Rebuild all Node.js container images with updated base images
  • CI/CD: Update Node.js versions in CI/CD pipelines
  • npm check: Run ‘node –version’ across all environments to verify patch status

Recommendations

  • Patch immediately — prioritise CVE-2026-48930 (CVSS 9.8). Any Node.js application making TLS connections is potentially affected.
  • Audit TLS connection handling. Review code that constructs TLS hostnames from user input, redirects, or proxy configurations — these are the most likely attack vectors for the embedded-nul vulnerability.
  • Rotate proxy credentials. If you use Node.js HTTP proxies, CVE-2026-48615 may have leaked credentials to logs — rotate them after patching.
  • Review HTTP/2 configurations. If your Node.js applications use HTTP/2 clients, ensure frame limits are configured to mitigate the ORIGIN frame OOM (CVE-2026-48619) even before patching.
  • Monitor Node.js security page. Subscribe to the Node.js security announcements for future releases.

References

Part of the Vulnerability Intelligence series on threat-modeling.com. 6 CVEs grouped from the Node.js June 2026 Security Releases. See the June 27, 2026 Vulnerability Intelligence Report for broader context.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!