Node.js Fixes 12 Security Flaws, Including TLS Authentication Bypass and WebCrypto DoS Bugs

Node.js has released security updates for 12 vulnerabilities affecting its supported 22.x, 24.x, and 26.x release lines. The fixes are available in Node.js 22.23.0, Node.js 24.17.0, and Node.js 26.3.1, according to the official June 18 security release.

The two high-severity flaws are CVE-2026-48618 and CVE-2026-48933. CVE-2026-48618 can allow a TLS wildcard-depth authentication bypass in affected configurations, while CVE-2026-48933 can crash a Node.js process through a large WebCrypto encryption input.

Developers and administrators should upgrade quickly, especially if Node.js runs internet-facing APIs, authentication services, proxy-aware clients, HTTP/2 clients, or applications using the experimental Permission Model.

What Node.js fixed in the June 2026 update

The June update includes security fixes across TLS, WebCrypto, HTTP/2, DNS, proxy handling, file permissions, Unix domain sockets, and the HTTP agent. Several issues affect all supported release lines, while CVE-2026-48936 affects only Node.js 26.

The release also updates key dependencies used by Node.js, including llhttp 9.4.2, nghttp2 1.69.0, OpenSSL 3.5.7, and different undici versions for each release line.

The official Node.js security bulletin says the highest severity for Node.js 22, 24, and 26 is High. End-of-life versions remain unsafe for production because they no longer receive normal upstream security updates.

Release line	Patched version	Status	Notes
Node.js 22.x	Node.js 22.23.0	Maintenance LTS	Includes fixes for high, medium, and low-severity issues
Node.js 24.x	Node.js 24.17.0	Active LTS	Includes fixes for high, medium, and low-severity issues
Node.js 26.x	Node.js 26.3.1	Current	Includes the Node.js 26-only Unix domain socket permission fix

The most serious issues affect TLS and WebCrypto

CVE-2026-48618 affects TLS hostname handling. Node.js says Unicode dot separator handling can create a mismatch between resolver and verifier hostname normalization, which can lead to wildcard-depth authentication bypass under affected configurations.

This issue matters for applications that rely on strict TLS identity checks. If hostname verification behaves differently from name resolution, attackers may be able to cross an intended trust boundary in specific deployment patterns.

CVE-2026-48933 affects the WebCrypto API. A flaw in the WebCrypto implementation can crash the process if the input to subtle.encrypt() is a multiple of 2 GiB, creating a denial-of-service risk for applications that process attacker-controlled encryption input.

Medium-severity flaws affect HTTP/2, TLS, SNI, and proxy handling

Node.js also fixed several medium-severity issues that can weaken trust decisions or cause resource exhaustion. CVE-2026-48934 can bypass TLS host identity verification through session reuse with a different server name.

CVE-2026-48928 affects SNI context matching. In multi-context mutual TLS deployments, case-sensitive hostname matching can lead to authorization bypass.

CVE-2026-48619 affects HTTP/2 clients. A malicious server can send attacker-controlled ORIGIN frames that cause unbounded memory growth and eventually trigger an out-of-memory condition.

CVE	Issue	Severity	Affected release lines
CVE-2026-48933	WebCrypto AES integer overflow can crash the process	High	22.x, 24.x, 26.x
CVE-2026-48618	Unicode dot separator handling can bypass TLS wildcard-depth authentication	High	22.x, 24.x, 26.x
CVE-2026-48615	Proxy credentials can leak in ERR_PROXY_TUNNEL error messages	Medium	22.x, 24.x, 26.x
CVE-2026-48619	HTTP/2 ORIGIN frames can cause unbounded memory growth	Medium	22.x, 24.x, 26.x
CVE-2026-48937	HTTP/2 sessions may not clean up after GOAWAY on invalid protocol errors	Medium	22.x, 24.x
CVE-2026-48928	Uppercase SNI context matching can lead to mTLS authorization bypass	Medium	22.x, 24.x, 26.x
CVE-2026-48930	Embedded NUL hostnames can cause silent authority rebinding	Medium	22.x, 24.x, 26.x
CVE-2026-48934	TLS host identity verification bypass through session reuse	Medium	22.x, 24.x, 26.x
CVE-2026-48617	Permission Model bypass through process.report.writeReport() path handling	Low	22.x, 24.x, 26.x
CVE-2026-48935	Permission Model bypass through FileHandle.utimes()	Low	22.x, 24.x, 26.x
CVE-2026-48936	Unix domain socket server can bypass Permission Model network restrictions	Low	26.x only
CVE-2026-48931	HTTP response queue poisoning through a race condition in http.Agent	Low	22.x, 24.x, 26.x

Why the proxy and hostname bugs matter

CVE-2026-48615 can expose proxy credentials in ERR_PROXY_TUNNEL error messages when credentials are embedded in proxy URLs. That can create secondary risk if errors are written to logs, diagnostics, monitoring systems, or shared debugging tools.

CVE-2026-48930 affects hostnames that include embedded null bytes. Node.js fixed resolver behavior that could otherwise truncate a hostname at the C-string boundary and silently rebind authority.

These issues do not affect every application in the same way. The highest-risk deployments are those that accept untrusted hostnames, use proxies with embedded credentials, rely on complex TLS routing, or run multi-tenant network services.

Permission Model bypasses also received fixes

Node.js fixed three low-severity issues tied to the Permission Model. CVE-2026-48617 involves process.report.writeReport() path validation, while CVE-2026-48935 allows file metadata modification through FileHandle.utimes() even when a path is limited to read access.

CVE-2026-48936 affects Node.js 26 only. It allows a local Unix domain socket server to start without the required network permission, due to an incomplete fix for CVE-2026-21636.

These flaws carry lower severity, but they still matter for sandboxed or restricted runtime environments. Developers using the Permission Model should update even if their applications do not use TLS, HTTP/2, or WebCrypto directly.

Dependency updates are included

The release includes important dependency updates across all supported Node.js lines. Node.js updated llhttp to 9.4.2, nghttp2 to 1.69.0, and OpenSSL to 3.5.7 across all three supported lines.

Node.js also updated undici differently across release lines: undici 6.27.0 for 22.23.0, undici 7.28.0 for 24.17.0, and undici 8.5.0 for 26.3.1.

Teams that build container images should not only update local developer machines. They should rebuild base images, CI runners, serverless layers, and production containers that package Node.js directly.

• Update Node.js 22.x deployments to the latest 22.23.0 release.
• Update Node.js 24.x deployments to the latest 24.17.0 release.
• Update Node.js 26.x deployments to the latest 26.3.1 release.
• Rebuild Docker and Kubernetes images that include Node.js.
• Check serverless runtimes, CI images, and developer workstations.
• Review logs for proxy credential exposure if affected proxy paths were used.

Supported release lines should receive priority

The current supported release lines are Node.js 22, 24, and 26. The Node.js release schedule lists 22.x as Maintenance LTS, 24.x as Active LTS, and 26.x as Current.

Node.js 20 is already end-of-life as of April 30, 2026. Older versions should not remain in production unless an organization has a separate commercial support arrangement and a clear migration plan.

Applications that cannot upgrade immediately should reduce exposure by limiting untrusted inputs, reviewing TLS and proxy usage, and placing affected services behind stricter network controls until the runtime can be replaced.

What developers and admins should do now

Administrators should first identify every Node.js runtime in production, staging, build systems, and container images. Many organizations patch application dependencies but forget the runtime packaged into older images.

Developers should also test applications after updating because dependency changes to OpenSSL, undici, nghttp2, and llhttp can affect network-facing behavior. Test suites should cover TLS connections, proxy tunnels, HTTP/2 clients, WebCrypto calls, and permission-restricted execution.

The release notes for Node.js 22.23.0 LTS, Node.js 24.17.0 LTS, and Node.js 26.3.1 Current list the patched CVEs and commits included in each branch.

1. Run node -v across production hosts and build systems.
2. Upgrade affected systems to 22.23.0, 24.17.0, or 26.3.1.
3. Rebuild containers, base images, and packaged binaries.
4. Retest TLS hostname verification and mTLS routing behavior.
5. Review any proxy URLs that embed usernames or passwords.
6. Audit logs for exposed proxy credentials after failed proxy tunnel requests.
7. Check HTTP/2 clients that connect to untrusted or third-party servers.
8. Retest applications that depend on the Permission Model.

End-of-life Node.js versions remain a risk

The official release schedule shows Node.js 20, 21, 23, and 25 as end-of-life. These branches do not receive the same standard security releases as supported lines.

For companies running large JavaScript services, the safest path is to standardize on supported LTS versions and keep runtime updates part of normal patch operations. Runtime flaws can affect every application that depends on the same Node.js build.

This June 2026 release is especially important because it fixes flaws across core networking, cryptography, HTTP/2, and permission enforcement. Those areas sit close to the security boundary of many Node.js services.

FAQ