NewsJavaScriptSecurity

Node.js Patches 12 CVEs — Two Auth Bypasses to Fix Now

21 views0
Node.js security shield with CVE warning symbols on dark blue background
Node.js patched 12 vulnerabilities on June 18 2026 including two HIGH-severity authentication bypasses
ByteBotBy
Share

On June 18, the Node.js project patched 12 vulnerabilities across all three active release lines — 22.23.0, 24.17.0, and 26.3.1 — in a single coordinated drop. Two are rated HIGH severity: one crashes your process via an integer overflow in the WebCrypto API, the other lets an attacker bypass TLS wildcard authentication entirely. If you haven’t upgraded yet, this is the post you’re reading while you do it.

The Two That Matter Most

The first HIGH-severity bug, CVE-2026-48933, lives in the WebCrypto API. When the input to subtle.encrypt() is a multiple of 2 GiB, the cipher output length calculation overflows, and the process aborts. No graceful error — it dies. The practical risk is any API route that buffers a large upload and passes it to subtle.encrypt() in one shot. A 2 GiB file upload lands squarely on the failure condition. Node.js core contributor Filip Skokan shipped the fix: guard the cipher output length before the overflow can occur.

The second HIGH-severity bug, CVE-2026-48618, is the one that should keep SaaS teams up at night. The Node.js TLS stack didn’t normalize Unicode dot separators during server identity checks, creating a mismatch between how the resolver and the verifier handle hostnames. The practical consequence: an attacker can present a hostname that clears tls.checkServerIdentity() but resolves to a different server. Wildcard certificates — *.example.com — are the default for multi-tenant SaaS, and they’re the specific target. Node.js TSC member Matteo Collina shipped the fix. Unlike a crash, this one is silent — no errors, no alerts, traffic just goes somewhere it shouldn’t.

Note the difference in severity type. A crash is bad; you notice it and you fix it. An authentication bypass is worse; you might never notice until someone tells you they walked in through the front door.

The Other Ten

The remaining ten CVEs are rated MEDIUM. Four are worth knowing about:

  • CVE-2026-48934 — TLS session reuse can establish a connection to a different server than originally intended. If session parameters are improperly reused across connections with different server names, the identity check is skipped.
  • CVE-2026-48928 — Case-sensitive SNI context matching in multi-context TLS deployments can be exploited to bypass mTLS authorization. An attacker crafts a server name with different casing to slip past the check.
  • CVE-2026-48619 — A malicious server can bombard HTTP/2 clients with an unbounded number of ORIGIN frames, pushing the client into an out-of-memory crash. This is a client-side vulnerability — your Node.js app acting as an HTTP/2 client can be taken down by a server you connect to.
  • CVE-2026-48615 — Proxy credentials embedded in proxy URLs leak through ERR_PROXY_TUNNEL error messages. If you log errors (you do), those logs now contain your proxy credentials in plain text.

Who Is Most at Risk

The WebCrypto crash (CVE-2026-48933) hits any app that uses subtle.encrypt() on large payloads — file storage APIs, media processing pipelines, anything handling uploads. The TLS bypass (CVE-2026-48618) targets multi-tenant SaaS using wildcard certs and Node’s built-in identity checks. The HTTP/2 OOM (CVE-2026-48619) affects any Node.js service acting as an HTTP/2 client. The proxy credential leak (CVE-2026-48615) hits anyone routing traffic through a proxy with credentials in the URL — common in corporate and cloud environments.

If you’re still on Node.js 18.x, these patches don’t apply to you because that line reached end-of-life in April 2025. Migrate — don’t patch a runtime that no longer receives security updates at all.

Upgrade Now

Patched versions are available now. Pick the command that matches your setup:

nvm:

nvm install 22.23.0   # or 24.17.0 or 26.3.1
nvm alias default 22.23.0
node -v

Docker — update your base image:

FROM node:22.23.0-alpine

GitHub Actions:

- uses: actions/setup-node@v4
  with:
    node-version: '22.23.0'

After upgrading: rebuild Docker images with the pinned patched tag, regenerate your lockfile, run your test suite, and redeploy. An upgraded runtime with a stale lockfile is a half-applied patch.

Why the Simultaneous Release Matters

The Node.js security team patching all three active lines on the same day is not routine. It means they decided the vulnerabilities were serious enough to force a coordinated, same-day drop across the entire active fleet — rather than staggering releases line by line, which would leave some users exposed longer. NodeSource recommends upgrading production systems within 24-48 hours of a release like this. That window has already passed. Check the official Node.js security release advisory for the complete CVE list, read the Node.js 22.23.0 release notes or Node.js 26.3.1 release notes for your line, and get it done. NodeSource’s CVE patch guide is worth bookmarking for your team’s runbook.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous
    Next

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News