Node.js Vulnerabilities Enable HTTP/2 Service Impact

EXECUTIVE SUMMARY:

Multiple vulnerabilities have been identified in Node.js runtime versions. The flaws span authentication bypass, denial‑of‑service, memory exhaustion, credential leakage, and permission‑model bypasses. Improper handling of Unicode dot separators and SNI case‑sensitivity can undermine TLS certificate validation, while integer overflow in the WebCrypto API may crash processes. Malformed HTTP/2 frames and embedded null bytes can trigger resource depletion or silent authority rebinding. Several issues also permit unauthorized file‑system or network‑permission access. Collectively, these weaknesses expose web services, APIs, and micro‑services to data compromise, service disruption, and regulatory non‑compliance.[emaillocker id="1283"]

CVE-2026-48933 with a CVSS score of 7.4 – An integer overflow in the WebCrypto subtle.encrypt() function triggered by inputs that are exact multiples of 2 GiB can abort the Node.js process, leading to a denial‑of‑service; attackers must be able to invoke the encryption API with oversized data.

CVE-2026-48618 with a CVSS score of 7.5 – An authentication bypass in TLS hostname verification caused by Unicode dot separators allows attackers to spoof wildcard certificates when the resolver and verifier normalize hostnames differently; exploitation requires a crafted hostname and a vulnerable Node.js TLS client.

CVE-2026-48615 with a CVSS score of 6.4 – Proxy credentials embedded in URLs are leaked through ERR_PROXY_TUNNEL error messages, exposing secrets to logs or error outputs.

CVE-2026-48619 with a CVSS score of 5.3 – Attacker‑controlled HTTP/2 ORIGIN frames cause unbounded memory growth in clients, leading to resource exhaustion and possible service crashes.

CVE-2026-48937 with a CVSS score of 5.3 – HTTP/2 sessions fail to clean up after GOAWAY on invalid protocol errors, causing resource leakage that can be triggered by malformed frames.

CVE-2026-48928 with a CVSS score of 5.5 – Case‑sensitive SNI matching can be abused to bypass mutual TLS authorization, allowing attackers to present altered SNI values to gain access to restricted services.

CVE-2026-48930 with a CVSS score of 5.4 – Embedded null bytes in hostnames trigger C‑string truncation, causing silent authority rebinding and potential redirection to attacker‑controlled servers.

CVE-2026-48934 with a CVSS score of 5.3 – Session reuse with a different server name bypasses TLS host identity verification, enabling unauthorized connections; exploitation works when TLS sessions are cached and reused across hosts.

CVE-2026-48617 with a CVSS score of 3.3 – Misvalidation of paths in process.report.writeReport() permits writing reports to arbitrary locations, granting unauthorized file‑system access.

CVE-2026-48935 with a CVSS score of 3.3 – The FileHandle.utimes() method in the Promises API can be used to modify file timestamps without proper permissions, facilitating covert data manipulation.

CVE-2026-48936 with a CVSS score of 3.4 – Unix domain socket servers can bypass network permission restrictions, allowing privileged communication channels to be established under certain conditions.

CVE-2026-48931 with a CVSS score of 3.3 – A TOCTOU race condition in http.Agent enables response queue poisoning, where a client may accept forged responses before sending requests.

RECOMMENDATION:

• We recommend you to update Node.js to below version:
• https://github.com/nodejs/node/releases

REFERENCES:

The following reports contain further technical details:
https://cybersecuritynews.com/node-js-patches-12-vulnerabilities/