Skip to main content

Node Js

14 CVEs product

Monthly

CVE-2026-48936 LOW PATCH Monitor

Node.js Permission Model fails to apply net scope guards to pipe open and chmod operations, enabling a local authenticated user to bypass intended access control boundaries enforced by the experimental Permission Model. Affected is Node.js v26.x prior to v26.3.1 (Current release line), disclosed in the June 2026 security release. Rated Low severity by the Node.js team; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Node Js
NVD GitHub
CVSS 3.0
3.3
EPSS
0.1%
CVE-2026-48933 HIGH PATCH This Week

Denial of service in Node.js 26.x (fixed in 26.3.1) arises from an unguarded integer overflow when computing WebCrypto cipher output buffer lengths, allowing remote attackers to crash a process that performs SubtleCrypto encrypt/decrypt operations on attacker-influenced data. Rated High by the Node.js project (CVSS 7.5, availability-only impact). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Integer Overflow Node Js
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-48619 HIGH PATCH This Week

Denial of service in Node.js HTTP/2 lets a remote peer exhaust process memory by driving unbounded growth of the connection's originSet, the structure that tracks origins advertised via HTTP/2 ORIGIN frames. It affects the 22.x, 24.x and 26.x release lines up to and including Node 22.22.3, 24.16.0 and 26.3.0, and is fixed in the June 2026 security release (26.3.1). There is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.51%), but availability impact is rated High.

Denial Of Service Red Hat Suse Node Js
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-48930 CRITICAL PATCH Act Now

Hostname validation bypass in Node.js (versions 22.22.3, 24.16.0, and 26.3.0) lets attackers smuggle embedded NUL bytes through the dns and net subsystems, truncating a hostname after the NUL so that application-level allowlists, SNI checks, or destination filters validate one host while the runtime resolves or connects to another. The Node.js project rates this specific issue Medium and shipped the fix in its June 2026 security release; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.28%, 20th percentile), and it is not in CISA KEV. Note a significant signal conflict: the aggregate input score of CVSS 9.8 with an 'Authentication Bypass' tag is far above the vendor's own Medium rating for this CVE and appears to be an inflated pre-NVD auto-score.

Authentication Bypass Red Hat Suse Node Js
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-48935 LOW PATCH Monitor

Node.js permission model bypass via FileHandle.utimes() allows local low-privilege users to modify file timestamps on paths outside their permitted write scope. Affecting Node.js 26.x before v26.3.1, this flaw is only exploitable when the experimental permission model is explicitly enabled via --experimental-permission, substantially limiting exposure. No public exploit code or active exploitation has been identified at time of analysis, and the vendor-released patch (v26.3.1) is confirmed available as of 2026-06-18.

Privilege Escalation Node Js
NVD GitHub VulDB
CVSS 3.0
3.3
EPSS
0.1%
CVE-2026-48615 HIGH PATCH This Week

Sensitive information disclosure in Node.js (versions 26.3.0, 24.16.0, and 22.22.3) leaks embedded proxy credentials when a CONNECT tunnel connection fails, because the full proxy URL - including username and password - is included verbatim in the resulting tunnel error message rather than being redacted. Anyone able to read those error strings (application logs, error responses, monitoring/telemetry pipelines) can recover the proxy authentication secret. This is a Medium-rated, post-disclosure security-release fix (fixed in v26.3.1); there is no public exploit identified at time of analysis and EPSS is low at 0.38% (30th percentile).

Information Disclosure Red Hat Suse Node Js
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-48618 MEDIUM PATCH This Month

Improper hostname normalization in Node.js TLS server-identity verification (fixed in v26.3.1) lets a TLS peer's hostname be evaluated without proper Unicode/case normalization, so identity checks may match a host they should reject. Rated High by the Node.js team (CVSS 7.7, scope-changed, confidentiality-only), it can cause a client to trust the wrong server and expose data carried over the connection. No public exploit identified at time of analysis; this was disclosed pre-NVD via the nodejs/node June 2026 security release and is not listed in CISA KEV.

Information Disclosure Red Hat Suse Node Js
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.6%
CVE-2026-48931 LOW POC PATCH Monitor

Response queue poisoning in Node.js http.Agent allows network-accessible attackers to corrupt the HTTP keep-alive connection pool via a TOCTOU race condition, causing responses to be delivered to the wrong request handler. Affected is Node.js v26.x prior to v26.3.1, as disclosed in the June 2026 security release. Exploitation requires high attack complexity due to the race window, and no public exploit has been identified at time of analysis; this is rated Low severity (CVSS 3.7) by the Node.js team.

Information Disclosure Node Js
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.3%
CVE-2026-48934 MEDIUM PATCH This Month

TLS session resumption in Node.js fails to bind reusable sessions to the originally authenticated host, enabling an information disclosure pathway. Affected versions are Node.js 26.x prior to 26.3.1 (Current channel), as disclosed in the June 2026 security release. An attacker with low network-level privilege can cause a cached TLS session-established and authenticated against one hostname-to be reused for a distinct, attacker-influenced host, potentially bypassing host-based authentication. No public exploit code or CISA KEV listing is present at time of analysis.

Information Disclosure Node Js
NVD GitHub VulDB
CVSS 3.0
4.3
EPSS
0.3%
CVE-2026-48928 MEDIUM PATCH This Month

TLS SNI context matching in Node.js performs case-sensitive hostname comparison, enabling network-accessible low-privileged attackers to bypass intended server-side TLS context selection by varying the casing of the SNI hostname in a ClientHello message. Affected versions prior to 26.3.1 may serve an incorrect TLS certificate or context when a client sends an SNI value with unexpected casing (e.g., 'EXAMPLE.COM' versus 'example.com'), yielding limited confidentiality and integrity impacts in multi-hostname deployments. No public exploit code or active exploitation has been identified; the fix shipped as part of the Node.js June 2026 coordinated security release alongside ten other CVEs.

Authentication Bypass Red Hat Suse Node Js
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-59465 HIGH PATCH This Week

A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. [CVSS 7.5 HIGH]

Denial Of Service Node.js Node Js
NVD HeroDevs VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-55130 CRITICAL PATCH Act Now

Node.js has a permissions model bypass that allows attackers to circumvent --allow-fs-read and --allow-fs-write restrictions using alternate path representations.

Information Disclosure Node.js Node Js
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-23084 MEDIUM PATCH This Month

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Windows Path Traversal Node.js Microsoft Suse +1
NVD
CVSS 3.1
5.5
EPSS
1.3%
CVE-2024-3566 CRITICAL POC Act Now

Command injection via Windows CreateProcess argument parsing affects multiple language runtimes and tooling (Node.js, PHP, Rust, Haskell process library, yt-dlp) that wrap the API without compensating for its quirks. Remote attackers can smuggle additional commands through arguments passed to child processes when applications spawn batch files or otherwise rely on CreateProcess's implicit cmd.exe handling. Publicly available exploit code exists and EPSS of 7.09% (92nd percentile) signals elevated, though not confirmed in-the-wild, exploitation interest; this CVE is not listed in CISA KEV.

PHP Command Injection Microsoft Rust Yt Dlp +2
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
7.1%
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Node.js Permission Model fails to apply net scope guards to pipe open and chmod operations, enabling a local authenticated user to bypass intended access control boundaries enforced by the experimental Permission Model. Affected is Node.js v26.x prior to v26.3.1 (Current release line), disclosed in the June 2026 security release. Rated Low severity by the Node.js team; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Node Js
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Denial of service in Node.js 26.x (fixed in 26.3.1) arises from an unguarded integer overflow when computing WebCrypto cipher output buffer lengths, allowing remote attackers to crash a process that performs SubtleCrypto encrypt/decrypt operations on attacker-influenced data. Rated High by the Node.js project (CVSS 7.5, availability-only impact). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Integer Overflow Node Js
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Denial of service in Node.js HTTP/2 lets a remote peer exhaust process memory by driving unbounded growth of the connection's originSet, the structure that tracks origins advertised via HTTP/2 ORIGIN frames. It affects the 22.x, 24.x and 26.x release lines up to and including Node 22.22.3, 24.16.0 and 26.3.0, and is fixed in the June 2026 security release (26.3.1). There is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.51%), but availability impact is rated High.

Denial Of Service Red Hat Suse +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Hostname validation bypass in Node.js (versions 22.22.3, 24.16.0, and 26.3.0) lets attackers smuggle embedded NUL bytes through the dns and net subsystems, truncating a hostname after the NUL so that application-level allowlists, SNI checks, or destination filters validate one host while the runtime resolves or connects to another. The Node.js project rates this specific issue Medium and shipped the fix in its June 2026 security release; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.28%, 20th percentile), and it is not in CISA KEV. Note a significant signal conflict: the aggregate input score of CVSS 9.8 with an 'Authentication Bypass' tag is far above the vendor's own Medium rating for this CVE and appears to be an inflated pre-NVD auto-score.

Authentication Bypass Red Hat Suse +1
NVD GitHub VulDB
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Node.js permission model bypass via FileHandle.utimes() allows local low-privilege users to modify file timestamps on paths outside their permitted write scope. Affecting Node.js 26.x before v26.3.1, this flaw is only exploitable when the experimental permission model is explicitly enabled via --experimental-permission, substantially limiting exposure. No public exploit code or active exploitation has been identified at time of analysis, and the vendor-released patch (v26.3.1) is confirmed available as of 2026-06-18.

Privilege Escalation Node Js
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Sensitive information disclosure in Node.js (versions 26.3.0, 24.16.0, and 22.22.3) leaks embedded proxy credentials when a CONNECT tunnel connection fails, because the full proxy URL - including username and password - is included verbatim in the resulting tunnel error message rather than being redacted. Anyone able to read those error strings (application logs, error responses, monitoring/telemetry pipelines) can recover the proxy authentication secret. This is a Medium-rated, post-disclosure security-release fix (fixed in v26.3.1); there is no public exploit identified at time of analysis and EPSS is low at 0.38% (30th percentile).

Information Disclosure Red Hat Suse +1
NVD GitHub VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Improper hostname normalization in Node.js TLS server-identity verification (fixed in v26.3.1) lets a TLS peer's hostname be evaluated without proper Unicode/case normalization, so identity checks may match a host they should reject. Rated High by the Node.js team (CVSS 7.7, scope-changed, confidentiality-only), it can cause a client to trust the wrong server and expose data carried over the connection. No public exploit identified at time of analysis; this was disclosed pre-NVD via the nodejs/node June 2026 security release and is not listed in CISA KEV.

Information Disclosure Red Hat Suse +1
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW POC PATCH Monitor

Response queue poisoning in Node.js http.Agent allows network-accessible attackers to corrupt the HTTP keep-alive connection pool via a TOCTOU race condition, causing responses to be delivered to the wrong request handler. Affected is Node.js v26.x prior to v26.3.1, as disclosed in the June 2026 security release. Exploitation requires high attack complexity due to the race window, and no public exploit has been identified at time of analysis; this is rated Low severity (CVSS 3.7) by the Node.js team.

Information Disclosure Node Js
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

TLS session resumption in Node.js fails to bind reusable sessions to the originally authenticated host, enabling an information disclosure pathway. Affected versions are Node.js 26.x prior to 26.3.1 (Current channel), as disclosed in the June 2026 security release. An attacker with low network-level privilege can cause a cached TLS session-established and authenticated against one hostname-to be reused for a distinct, attacker-influenced host, potentially bypassing host-based authentication. No public exploit code or CISA KEV listing is present at time of analysis.

Information Disclosure Node Js
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

TLS SNI context matching in Node.js performs case-sensitive hostname comparison, enabling network-accessible low-privileged attackers to bypass intended server-side TLS context selection by varying the casing of the SNI hostname in a ClientHello message. Affected versions prior to 26.3.1 may serve an incorrect TLS certificate or context when a client sends an SNI value with unexpected casing (e.g., 'EXAMPLE.COM' versus 'example.com'), yielding limited confidentiality and integrity impacts in multi-hostname deployments. No public exploit code or active exploitation has been identified; the fix shipped as part of the Node.js June 2026 coordinated security release alongside ten other CVEs.

Authentication Bypass Red Hat Suse +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. [CVSS 7.5 HIGH]

Denial Of Service Node.js Node Js
NVD HeroDevs VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Node.js has a permissions model bypass that allows attackers to circumvent --allow-fs-read and --allow-fs-write restrictions using alternate path representations.

Information Disclosure Node.js Node Js
NVD VulDB
EPSS 1% CVSS 5.5
MEDIUM PATCH This Month

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Windows Path Traversal Node.js +3
NVD
EPSS 7% CVSS 9.8
CRITICAL POC Act Now

Command injection via Windows CreateProcess argument parsing affects multiple language runtimes and tooling (Node.js, PHP, Rust, Haskell process library, yt-dlp) that wrap the API without compensating for its quirks. Remote attackers can smuggle additional commands through arguments passed to child processes when applications spawn batch files or otherwise rely on CreateProcess's implicit cmd.exe handling. Publicly available exploit code exists and EPSS of 7.09% (92nd percentile) signals elevated, though not confirmed in-the-wild, exploitation interest; this CVE is not listed in CISA KEV.

PHP Command Injection Microsoft +4
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy