CVE-2026-48619
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk43th percentile — higher than 43% of all known CVEs
Summary
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
Risk Assessment
A malicious server can exhaust the client's memory, causing a crash or denial of service (DoS) for applications using Node.js.
Recommendation
Immediately update Node.js to the latest patched version for your release line (22, 24, or 26). If an update is not possible, restrict trust to HTTP/2 servers or apply firewall rules to limit the number of ORIGIN frames.
Original NVD description (English source)
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

