CVE-2026-48930
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk30th percentile — higher than 30% of all known CVEs
Summary
A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
Risk Assessment
An attacker could exploit this vulnerability to bypass TLS security mechanisms, potentially leading to unauthorized access to resources or interception of communications.
Recommendation
It is recommended to immediately update Node.js to the latest patched version for the used release line (22, 24, or 26) and avoid using hostnames with embedded null characters in TLS configurations.
Original NVD description (English source)
A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

