CVE-2026-48618

Published Jun 26, 2026

Last updated 8 days ago

Overview

Description
A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Source
support@hackerone.com
NVD status
Analyzed
Products
node.js

Risk scores

CVSS 3.1

Type
Primary
Base score
6.5
Impact score
3.6
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity
MEDIUM

CVSS 3.0

Type
Secondary
Base score
7.7
Impact score
4
Exploitability score
3.1
Vector string
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Severity
HIGH

Weaknesses

support@hackerone.com
CWE-176

Social media

Hype score
Not currently trending
  1. After analyzing 44% of vulnerabilities from past week, CVE-2026-48618 has 9 articles published from different internet sources, no other cve has these many articles. More information here: https://t.co/SyyDujjO8C #vulnerability #CyberSecurity #ThreatIntel #CVE #SecurityAlert

    @stooee_

    2 Jul 2026

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. ⚠️ Vulnerabilidades en productos Node.js ❗ CVE-2026-48933 ❗ CVE-2026-48618 ➡️ Más info: https://t.co/T7ozh8Eldm https://t.co/HuO8PJ3WnA

    @CERTpy

    2 Jul 2026

    206 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Node.js、2026年6月のセキュリティリリースで12件の脆弱性を修正(CVE-2026-48933,CVE-2026-48618)他 https://t.co/9aJi3HQB4i #セキュリティ対策Lab #security #securitynews

    @securityLab_jp

    22 Jun 2026

    90 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 Node.js patched all active LTS lines on June 18. CVE-2026-48618: IPv6 dots bypass TLS wildcard certs. CVE-2026-48933: WebCrypto AES crash, remote process abort. Patch to 22.23.0 / 24.17.0 / 26.3.1. How long before your team ships this?

    @dartilesm

    21 Jun 2026

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Node.js shipped 22.23.0, 24.17.0 and 26.3.1 on June 18, fixing 13 CVEs. Two are rated HIGH: CVE-2026-48933, a WebCrypto AES integer overflow that aborts the process, and CVE-2026-48618, a TLS wildcard-depth check fooled by a Unicode dot separator. Which release line do you run?

    @canartuc

    19 Jun 2026

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Node.jsが複数の深刻な脆弱性を修正。WebCrypto AESの整数オーバーフローCVE-2026-48933とTLSのホスト名取扱におけるUnicode中点の取扱不備CVE-2026-48618。その他脆弱性複数も修正されている。 https://t.co/mt8onCMwN7

    @__kokumoto

    18 Jun 2026

    412 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.