Node.js has issued a significant security update to address 12 vulnerabilities, including two high-severity flaws that pose risks of authentication bypass and denial-of-service (DoS) attacks. These updates are essential for maintaining the integrity and security of applications relying on Node.js.
Critical Vulnerabilities Revealed
The update impacts Node.js versions 22.x, 24.x, and 26.x, with new patches available as of June 18, 2026. Among the critical issues is CVE-2026-48618, which involves improper Unicode dot separator handling in TLS hostname verification. This vulnerability can lead to mismatches between hostname normalization by the resolver and verifier, potentially allowing attackers to bypass TLS wildcard-based authentication.
Another high-severity vulnerability, CVE-2026-48933, affects the WebCrypto API. It arises from an integer overflow when the subtle.encrypt() function processes inputs that are multiples of 2 GiB, risking remote process crashes and DoS conditions.
Additional Vulnerabilities Addressed
Further vulnerabilities include CVE-2026-48934, which allows TLS host identity verification bypass via session reuse with a different server name. Additionally, CVE-2026-48928 involves case-sensitive hostname matching, potentially bypassing mutual TLS (mTLS) authorization in multi-context deployments.
Node.js also resolved CVE-2026-48930, where embedded null bytes in hostnames could lead to silent authority rebinding. Another concern, CVE-2026-48619, exposes HTTP/2 clients to unbounded memory growth due to attacker-controlled ORIGIN frames, risking resource exhaustion.
Importance of Timely Updates
Security experts emphasize the importance of upgrading to the latest patched versions, such as Node.js v22.23.0, v24.17.0, and v26.3.1, to mitigate these vulnerabilities. The updates also include dependency updates for components like llhttp 9.4.2, nghttp2 1.69.0, and OpenSSL 3.5.7.
This release highlights the critical nature of maintaining current software environments, especially for platforms like Node.js, which are integral to modern web applications and APIs. It serves as a reminder of the ongoing need for vigilance in cybersecurity practices.
End-of-life versions remain susceptible to these vulnerabilities and should be avoided in production settings. Stay informed by following us on Google News, LinkedIn, and X for more updates.
