Skip to content
NINTECH
← All insights
Release watch18 June 2026

Node.js ships fixes for twelve CVEs across 22, 24 and 26 lines

The Node.js project released v22.23.0, v24.17.0 and v26.3.1 to fix twelve vulnerabilities, including two high-severity flaws — one enabling a TLS wildcard authentication bypass.

The Node.js project released security updates across all supported lines on 18 June: v22.23.0, v24.17.0 and v26.3.1. The batch fixes twelve CVEs, led by two high-severity issues: CVE-2026-48933, an integer overflow in the WebCrypto AES implementation that lets crafted input abort the process remotely, and CVE-2026-48618, where mishandling of Unicode dot separators in hostname checks can bypass TLS wildcard-depth certificate validation.

The medium and low-severity fixes are worth reading too if you run Node behind proxies or speak HTTP/2: they include proxy credentials leaking in ERR_PROXY_TUNNEL error messages (CVE-2026-48615), unbounded memory growth in http2 clients via attacker-controlled ORIGIN frames (CVE-2026-48619), an mTLS authorisation bypass via uppercase SNI matching (CVE-2026-48928), and several permission-model bypasses. The releases also bundle dependency updates: llhttp 9.4.2, nghttp2 1.69.0 and OpenSSL 3.5.7 on all lines.

A TLS validation bypass in a runtime this widely deployed deserves prompt action. If you build on Node, upgrade to 22.23.0, 24.17.0 or 26.3.1 (or later — the Current line has since moved on to 26.5.0, released 8 July). For containerised workloads, rebuilding against updated official base images picks up the fix; pinned digests and vendored Node binaries will not, so check those explicitly.

While you are there, verify nothing in your estate still runs an end-of-life Node line, as those receive none of these fixes.

Source: Node.js project. Details verified against the source at time of writing — always confirm current patch levels against the vendor's own advisory.

Affected by this? Talk to an engineer.

Node.js ships fixes for twelve CVEs across 22, 24 and 26 lines — Nintech