CVE Catalog

CVE-2026-48930

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.38%

30th percentile — higher than 30% of all known CVEs

Summary

A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Risk Assessment

An attacker could exploit this vulnerability to bypass TLS security mechanisms, potentially leading to unauthorized access to resources or interception of communications.

Recommendation

It is recommended to immediately update Node.js to the latest patched version for the used release line (22, 24, or 26) and avoid using hostnames with embedded null characters in TLS configurations.

Original NVD description (English source)

A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS