Node.js Fixes 12 Vulnerabilities, Including 2 High-Severity Authentication Bypasses
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Node.js has released a new round of security updates addressing 12 vulnerabiliti<\/a>es across its supported release lines, including two high-severity flaws that could lead to authentication bypass and denial-of-service (DoS) attacks.<\/p>\n The updates impact Node.js versions 22.x, 24.x, and 26.x, with patched releases now available as of June 18, 2026. The most critical issue, tracked as CVE-2026-48618, involves improper handling of Unicode dot separators in TLS hostname verification.<\/p>\n This flaw creates a mismatch between how hostnames are normalized by the resolver and verifier, potentially allowing attackers to bypass TLS wildcard-based authentication.<\/p>\n Under certain configurations, this could enable unauthorized access or compromise the confidentiality of secure communications, making it particularly dangerous for applications relying on strict certificate validation.<\/p>\n Another high-severity vulnerability, CVE-2026-48933, affects the WebCrypto API in Node.js. The issue stems from an integer overflow condition triggered when the input to the subtle.encrypt() function is a multiple of 2 GiB.<\/p>\n Successful exploitation can cause a remote process crash, leading to denial-of-service conditions<\/a> in affected applications. This flaw highlights risks in cryptographic implementations when handling large or malformed inputs.<\/p>\n One notable flaw, CVE-2026-48934, allows TLS host identity verification to be bypassed via session reuse with a different server name. This could result in unauthorized connections if session parameters are improperly reused.<\/p>\n The 12 vulnerabilities addressed by Node.js are:<\/p>\n Another issue, CVE-2026-48928, involves case-sensitive hostname matching in SNI contexts, potentially enabling mutual TLS (mTLS) authorization bypass <\/a>in multi-context deployments.<\/p>\n Node.js also fixed CVE-2026-48930, in which embedded null bytes in hostnames could lead to silent authority rebinding due to resolver truncation issues.<\/p>\n Additionally, CVE-2026-48619 exposes HTTP\/2 clients to unbounded memory growth when processing attacker-controlled ORIGIN frames, potentially causing resource exhaustion.<\/p>\n A separate medium-severity issue, CVE-2026-48615, could leak proxy credentials through error messages when using proxy tunnels.<\/p>\n If credentials are embedded in proxy URLs, they may be exposed via logs or diagnostic outputs, increasing the risk of credential compromise.<\/p>\n Lower-severity flaws include multiple permission model bypasses, such as CVE-2026-48617 and CVE-2026-48935, that allow unintended access to restricted file paths or the modification of metadata.<\/p>\n Another issue, CVE-2026-48936, enables Unix domain socket servers <\/a>to bypass network permission restrictions under specific conditions.<\/p>\n Additionally, a race condition in the HTTP agent (CVE-2026-48931) could allow response queue poisoning, where a client accepts responses before sending requests.<\/p>\n The release also includes important dependency updates to mitigate known vulnerabilities in third-party components.<\/p>\n Updated packages include llhttp 9.4.2, nghttp2 1.69.0, OpenSSL 3.5.7, and multiple versions of the undici HTTP client across different release lines.<\/p>\n Security experts strongly recommend upgrading to the latest patched versions<\/a>, including Node.js v22.23.0, v24.17.0, and v26.3.1, to mitigate these risks.<\/p>\n As with previous releases, end-of-life versions remain vulnerable and should not be used in production environments.<\/p>\n This update underscores the importance of maintaining up-to-date runtime environments, especially for widely deployed platforms like Node.js that form the backbone of modern web applications and APIs.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post Node.js Fixes 12 Vulnerabilities, Including 2 High-Severity Authentication Bypasses<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nNode.js Patches Vulnerabilities<\/strong><\/h2>\n
\n\n
\n \nCVE ID<\/th>\n Title<\/th>\n Severity<\/th>\n Affected Release Lines<\/th>\n<\/tr>\n<\/thead>\n \n CVE-2026-48933<\/td>\n WebCrypto AES Integer Overflow \u2014 Remote Process Abort (DoS)<\/td>\n High<\/td>\n 22.x, 24.x, 26.x<\/td>\n<\/tr>\n \n CVE-2026-48618<\/td>\n Unicode Dot Separator TLS Wildcard-Depth Authentication Bypass<\/td>\n High<\/td>\n 22.x, 24.x, 26.x<\/td>\n<\/tr>\n \n CVE-2026-48615<\/td>\n Proxy Credentials Leaked in ERR_PROXY_TUNNEL Error Message<\/td>\n Medium<\/td>\n 22.x, 24.x, 26.x<\/td>\n<\/tr>\n \n CVE-2026-48619<\/td>\n Unbounded Memory Growth via Attacker-Controlled HTTP\/2 ORIGIN Frames<\/td>\n Medium<\/td>\n 22.x, 24.x, 26.x<\/td>\n<\/tr>\n \n CVE-2026-48937<\/td>\n HTTP\/2 Sessions Fail to Clean Up After GOAWAY on Invalid Protocol Errors<\/td>\n Medium<\/td>\n 22.x, 24.x<\/td>\n<\/tr>\n \n CVE-2026-48928<\/td>\n Uppercase SNI Context Matching Leads to mTLS Authorization Bypass<\/td>\n Medium<\/td>\n 22.x, 24.x, 26.x<\/td>\n<\/tr>\n \n CVE-2026-48930<\/td>\n Embedded-NUL Hostnames Cause Silent Authority Rebinding (C-String Truncation)<\/td>\n Medium<\/td>\n 22.x, 24.x, 26.x<\/td>\n<\/tr>\n \n CVE-2026-48934<\/td>\n TLS Host Identity Verification Bypass via Session Reuse with Different Servername<\/td>\n Medium<\/td>\n 22.x, 24.x, 26.x<\/td>\n<\/tr>\n \n CVE-2026-48617<\/td>\n Permission Model Bypass via process.report.writeReport() Path Misvalidation<\/td>\n Low<\/td>\n 22.x, 24.x, 26.x<\/td>\n<\/tr>\n \n CVE-2026-48935<\/td>\n Permission Model Bypass via FileHandle.utimes() in Promises API<\/td>\n Low<\/td>\n 22.x, 24.x, 26.x<\/td>\n<\/tr>\n \n CVE-2026-48936<\/td>\n Unix Domain Socket Server Bypasses \u2013permission Network Restrictions (Incomplete CVE-2026-21636 Fix)<\/td>\n Low<\/td>\n 26.x only<\/td>\n<\/tr>\n \n CVE-2026-48931<\/td>\n HTTP Response Queue Poisoning via TOCTOU Race Condition in http.Agent<\/td>\n Low<\/td>\n 22.x, 24.x, 26.x<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n