- Description
- A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
- Source
- support@hackerone.com
- NVD status
- Analyzed
- Products
- node.js
CVSS 3.1
- Type
- Primary
- Base score
- 6.5
- Impact score
- 3.6
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Severity
- MEDIUM
CVSS 3.0
- Type
- Secondary
- Base score
- 7.7
- Impact score
- 4
- Exploitability score
- 3.1
- Vector string
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
- Severity
- HIGH
- support@hackerone.com
- CWE-176
- Hype score
- Not currently trending
After analyzing 44% of vulnerabilities from past week, CVE-2026-48618 has 9 articles published from different internet sources, no other cve has these many articles. More information here: https://t.co/SyyDujjO8C #vulnerability #CyberSecurity #ThreatIntel #CVE #SecurityAlert
@stooee_
2 Jul 2026
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ Vulnerabilidades en productos Node.js ❗ CVE-2026-48933 ❗ CVE-2026-48618 ➡️ Más info: https://t.co/T7ozh8Eldm https://t.co/HuO8PJ3WnA
@CERTpy
2 Jul 2026
206 Impressions
1 Retweet
2 Likes
0 Bookmarks
0 Replies
0 Quotes
Node.js、2026年6月のセキュリティリリースで12件の脆弱性を修正(CVE-2026-48933,CVE-2026-48618)他 https://t.co/9aJi3HQB4i #セキュリティ対策Lab #security #securitynews
@securityLab_jp
22 Jun 2026
90 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Node.js patched all active LTS lines on June 18. CVE-2026-48618: IPv6 dots bypass TLS wildcard certs. CVE-2026-48933: WebCrypto AES crash, remote process abort. Patch to 22.23.0 / 24.17.0 / 26.3.1. How long before your team ships this?
@dartilesm
21 Jun 2026
33 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Node.js shipped 22.23.0, 24.17.0 and 26.3.1 on June 18, fixing 13 CVEs. Two are rated HIGH: CVE-2026-48933, a WebCrypto AES integer overflow that aborts the process, and CVE-2026-48618, a TLS wildcard-depth check fooled by a Unicode dot separator. Which release line do you run?
@canartuc
19 Jun 2026
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Node.jsが複数の深刻な脆弱性を修正。WebCrypto AESの整数オーバーフローCVE-2026-48933とTLSのホスト名取扱におけるUnicode中点の取扱不備CVE-2026-48618。その他脆弱性複数も修正されている。 https://t.co/mt8onCMwN7
@__kokumoto
18 Jun 2026
412 Impressions
0 Retweets
2 Likes
1 Bookmark
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nodejs:node.js:22.22.3:*:*:*:-:*:*:*",
"matchCriteriaId": "3C0C5080-5F99-4651-9855-2DE03C9070C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:24.16.0:*:*:*:-:*:*:*",
"matchCriteriaId": "3B912C84-1AA5-4D74-AB1A-64162C80A33B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:node.js:26.3.0:*:*:*:-:*:*:*",
"matchCriteriaId": "8152ACE6-3CAF-4CA0-8B19-D4753811EB44",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]