Skip to main content

Node.js CVE-2026-48937

| EUVDEUVD-2026-37928 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
5.3
CVSS 3.0 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
5.3 MEDIUM

Network-reachable HTTP/2 endpoint, no auth or interaction needed; impact confined to partial availability via resource consumption.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 18, 2026 - 19:41 vuln.today
Analysis Generated
Jun 18, 2026 - 19:41 vuln.today
CVSS changed
Jun 18, 2026 - 19:38 NVD
5.3 (MEDIUM)
CVE Published
Jun 18, 2026 - 04:37 github-releases
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via GitHub release of nodejs/node. NVD scoring and full description are pending.

AnalysisAI

Denial-of-service exposure in Node.js HTTP/2 handling stems from integration defects with the nghttp2 library, addressed in the Node.js 24.17.0 'Krypton' LTS security release on 2026-06-18. Remote, unauthenticated attackers (per CVSS:3.0/PR:N/AV:N) can trigger availability degradation through crafted HTTP/2 traffic exploiting the flawed nghttp2 integration layer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Node.js HTTP/2 endpoint
Delivery
Send crafted HTTP/2 frames
Exploit
Trigger nghttp2 integration defect
Execution
Exhaust or corrupt processing resources
Impact
Degrade service availability

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to be running Node.js 24.x prior to 24.17.0 with HTTP/2 enabled - which is opt-in via the http2 module or server configuration, not the default for basic HTTP/1.1 servers. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 5.3 (Medium) with A:L reflects a genuine but bounded risk: availability impact is rated Low rather than High, suggesting partial or transient disruption rather than complete service crash. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a sequence of crafted HTTP/2 frames to a publicly accessible Node.js 24.x server, triggering the integration defect between Node.js and the bundled nghttp2 library, causing degraded availability - such as elevated memory consumption, processing stalls, or partial request handling failures - without requiring authentication or user interaction. Because AC:L and PR:N, this scenario requires no special setup beyond a reachable HTTP/2 endpoint. …
Remediation Upgrade to Node.js 24.17.0 ('Krypton' LTS) or later, available at https://github.com/nodejs/node/releases/tag/v24.17.0 and detailed in the Node.js security advisory at https://nodejs.org/en/blog/vulnerability/june-2026-security-releases. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Web and Scripting 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP6-LTSS Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Module for Web and Scripting 15 SP7 Affected

Share

CVE-2026-48937 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy