PT-2026-52061 · Openjs Foundation · Node.Js

Published

2026-06-23

Updated

2026-06-26

CVE-2026-48930

CVSS v3.1

5.6

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Node.js versions 22.x and earlier Node.js versions 24.x and earlier Node.js versions 26.x and earlier

Description A flaw in TLS hostname handling allows embedded-nul hostnames to cause silent authority rebinding. This occurs due to c-string truncation in resolver bindings, where a null character in the hostname string terminates the string prematurely in the underlying C code, potentially leading the application to connect to an unintended destination.

Recommendations Update Node.js 22 to the latest patched version. Update Node.js 24 to the latest patched version. Update Node.js 26 to version 26.3.1-1.1 or later.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

CVE-2026-48930

OPENSUSE-SU-2026:11110-1

OPENSUSE-SU-2026:11121-1

SUSE-SU-2026:2633-1

Affected Products

Node.Js

PT-2026-52061 · Openjs Foundation · Node.Js

CVE-2026-48930

Weakness Enumeration

Related Identifiers

Affected Products

References · 76