All news

Node.js ships security releases: 12 CVEs, 2 rated HIGH

Node.jsSummarized by the ORA·tech AI assistant
Node.js ships security releases: 12 CVEs, 2 rated HIGH

On June 18, 2026, Node.js patched all three lines (22, 24, 26) for 12 CVEs — two HIGH: a WebCrypto DoS crash and a TLS wildcard auth bypass. Dependency bumps to openssl, llhttp, nghttp2 and undici ship too; upgrade promptly.

On June 18, 2026, the Node.js project released security updates for all three supported lines — 22.23.0, 24.17.0 and 26.3.1 — fixing 12 CVEs, with the highest severity rated HIGH across every line.

Key points

  • CVE-2026-48933 (HIGH): an integer overflow in WebCrypto AES can crash the process if the subtle.encrypt() input is a multiple of 2GiB (DoS).
  • CVE-2026-48618 (HIGH): a hostname normalization mismatch between resolver and verifier enables a TLS wildcard-depth authentication bypass.
  • Several medium/low TLS and HTTP/2 CVEs: including proxy credential leakage (CVE-2026-48615), an mTLS bypass from case-sensitive hostname matching (CVE-2026-48928), and multiple Permission Model bypasses.
  • Dependency updates: llhttp 9.4.2, nghttp2 1.69.0, openssl 3.5.7 across all lines; undici 8.5.0/7.28.0/6.27.0 respectively.
  • Guidance: upgrade promptly; End-of-Life versions are always affected when a security release occurs.
#Node.js#security#CVE#TLS#WebCrypto
This summary was written by the ORA·tech AI assistant. Read the original for full context.

Related

Chào bạn, mình là Nova. Có phần nào bạn muốn hiểu kỹ hơn không? Cứ nói với mình nhé.