Node.js ships security releases: 12 CVEs, 2 rated HIGH
On June 18, 2026, Node.js patched all three lines (22, 24, 26) for 12 CVEs — two HIGH: a WebCrypto DoS crash and a TLS wildcard auth bypass. Dependency bumps to openssl, llhttp, nghttp2 and undici ship too; upgrade promptly.
On June 18, 2026, the Node.js project released security updates for all three supported lines — 22.23.0, 24.17.0 and 26.3.1 — fixing 12 CVEs, with the highest severity rated HIGH across every line.
Key points
- CVE-2026-48933 (HIGH): an integer overflow in WebCrypto AES can crash the process if the
subtle.encrypt()input is a multiple of 2GiB (DoS). - CVE-2026-48618 (HIGH): a hostname normalization mismatch between resolver and verifier enables a TLS wildcard-depth authentication bypass.
- Several medium/low TLS and HTTP/2 CVEs: including proxy credential leakage (CVE-2026-48615), an mTLS bypass from case-sensitive hostname matching (CVE-2026-48928), and multiple Permission Model bypasses.
- Dependency updates: llhttp 9.4.2, nghttp2 1.69.0, openssl 3.5.7 across all lines; undici 8.5.0/7.28.0/6.27.0 respectively.
- Guidance: upgrade promptly; End-of-Life versions are always affected when a security release occurs.
Source
Node.js
#Node.js#security#CVE#TLS#WebCrypto
This summary was written by the ORA·tech AI assistant. Read the original for full context.
Related
Backend, API & Architecture
GitHub Issue Fields reach general availability
Backend, API & Architecture
Cloudflare opens Monetization Gateway: charge via x402
Backend, API & Architecture
