By ByteBot
Node.js shipped security patches for all three active release lines today: 26.3.1, 24.17.0 LTS, and 22.23.0 LTS. Four vulnerabilities patched — two rated HIGH — covering TLS certificate bypass, a WebCrypto integer overflow that crashes the process, an HTTP/2 memory exhaustion flaw, and two permission model bypasses. If you run Node.js in production, your patch window is now.
CVE-2026-48618: TLS Wildcard Authentication Bypass
This is the most consequential fix in the batch. A normalization mismatch between how Node.js’s DNS resolver and TLS verifier handle unicode dot characters — characters that visually resemble ASCII dots but are not — allows crafted hostnames to slip through wildcard certificate validation. Any app that accepts user-supplied URLs and makes outbound TLS connections is in scope.
The patch forces hostname normalization before the identity check runs, so the resolver and verifier agree on what hostname they’re actually validating. If your service acts as an HTTPS client to any endpoint where input is user-controlled, this is the CVE to care about in this release — it will have a proof-of-concept within days of publication, as these hostname normalization bugs reliably do.
CVE-2026-48933: WebCrypto AES DoS via Integer Overflow
Calling subtle.encrypt() with input data that is a multiple of 2GiB causes an integer overflow when computing the output buffer length, resulting in a negative buf_len value and a hard process crash. This is a denial-of-service, not remote code execution — but a process abort is enough to take down a service.
The gut reaction from most teams will be “nobody sends us 2GB payloads.” That’s the wrong frame. The threshold is where the overflow triggers, not a natural size limit. Any endpoint that accepts file uploads without a hard 2GiB cap and passes them to WebCrypto is reachable if an attacker deliberately constructs input at that boundary. File encryption endpoints, JWT libraries using WebCrypto under the hood, any service doing client-side-style crypto in server-side Node.js — check your input validation. The fix, from Filip Skokan (the Node.js crypto module maintainer), guards the cipher output length calculation before allocation.
HTTP/2 ORIGIN Frame Memory Exhaustion
RFC 8336 defines HTTP/2 ORIGIN frames as a mechanism for servers to advertise additional origins they’re authoritative for. Node.js’s HTTP/2 client placed no cap on how many of these frames it would store. A malicious server can flood a connecting HTTP/2 client with ORIGIN frames until the client runs out of memory.
Matteo Collina (Fastify maintainer, Node.js TSC member) landed the fix. As Node.js’s native fetch() via undici gains adoption and gRPC-over-HTTP/2 becomes standard, client-side HTTP/2 vulnerabilities affect a much wider surface than they did two years ago. Any Node.js service connecting to external HTTP/2 endpoints is a client here.
Permission Model Bypasses
Two low-severity bypasses of Node.js’s experimental --permission flag: CVE-2026-48617 (path misvalidation in process.report.writeReport()) and CVE-2026-48935 (FileHandle.utimes() timestamp manipulation bypass). Both let code write to restricted filesystem paths even when the permission model is active. If you are not running Node.js with the --permission flag, these don’t apply. If you are using it as a security boundary, patch now.
Dependency Updates
All three release lines include dependency bumps: OpenSSL 3.5.7, nghttp2 1.69.0, and llhttp 9.4.2. Undici receives version-specific patches: 8.5.0 on 26.x, 7.28.0 on 24.x, and 6.27.0 on 22.x.
How to Update
# nvm
nvm install 26.3.1 && nvm use 26.3.1
# fnm
fnm install 26.3.1 && fnm use 26.3.1
# Docker — pull updated base images
docker pull node:26-alpine
docker pull node:24-alpine
docker pull node:22-alpineFor managed runtimes (AWS Lambda, Google Cloud Functions), check vendor security bulletins and verify your function’s runtime version. Container images using node:22, node:24, or node:26 base images should rebuild after pulling updated digests.
The full Node.js security advisory lists all four issues with CVE IDs and CVSS scores. Individual release notes are available for 26.3.1 and 24.17.0. For a deeper technical breakdown of the CVE mechanics, the Endor Labs analysis is worth reading.
