Node.js ships fixes for twelve CVEs across 22, 24 and 26 lines
The Node.js project released v22.23.0, v24.17.0 and v26.3.1 to fix twelve vulnerabilities, including two high-severity flaws — one enabling a TLS wildcard authentication bypass.
The Node.js project released security updates across all supported lines on 18 June: v22.23.0, v24.17.0 and v26.3.1. The batch fixes twelve CVEs, led by two high-severity issues: CVE-2026-48933, an integer overflow in the WebCrypto AES implementation that lets crafted input abort the process remotely, and CVE-2026-48618, where mishandling of Unicode dot separators in hostname checks can bypass TLS wildcard-depth certificate validation.
The medium and low-severity fixes are worth reading too if you run Node behind proxies or speak HTTP/2: they include proxy credentials leaking in ERR_PROXY_TUNNEL error messages (CVE-2026-48615), unbounded memory growth in http2 clients via attacker-controlled ORIGIN frames (CVE-2026-48619), an mTLS authorisation bypass via uppercase SNI matching (CVE-2026-48928), and several permission-model bypasses. The releases also bundle dependency updates: llhttp 9.4.2, nghttp2 1.69.0 and OpenSSL 3.5.7 on all lines.
A TLS validation bypass in a runtime this widely deployed deserves prompt action. If you build on Node, upgrade to 22.23.0, 24.17.0 or 26.3.1 (or later — the Current line has since moved on to 26.5.0, released 8 July). For containerised workloads, rebuilding against updated official base images picks up the fix; pinned digests and vendored Node binaries will not, so check those explicitly.
While you are there, verify nothing in your estate still runs an end-of-life Node line, as those receive none of these fixes.
Source: Node.js project. Details verified against the source at time of writing — always confirm current patch levels against the vendor's own advisory.
more news
Affected by this? Talk to an engineer.