CVE Catalog

CVE-2026-48619

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.58%

43th percentile — higher than 43% of all known CVEs

Summary

A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Risk Assessment

A malicious server can exhaust the client's memory, causing a crash or denial of service (DoS) for applications using Node.js.

Recommendation

Immediately update Node.js to the latest patched version for your release line (22, 24, or 26). If an update is not possible, restrict trust to HTTP/2 servers or apply firewall rules to limit the number of ORIGIN frames.

Original NVD description (English source)

A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS