Lucene search
K

17 matches found

CVE
CVE
added 2026/06/26 1:14 a.m.207 views

CVE-2026-48618

CVE-2026-48618 is a Node.js TLS hostname handling issue involving unicode dot separator handling that can bypass wildcard-depth authentication due to resolver/verifier hostname normalization mismatches. Connected updates confirm the vulnerability affects Node.js 22, 24, and 26 across releases. SU...

7.7CVSS6.7AI score0.00674EPSS
CVE
CVE
added 2026/06/26 1:14 a.m.110 views

CVE-2026-48933

CVE-2026-48933 describes a vulnerability in Node.js WebCrypto where AES processing in subtle.encrypt() can crash the process when the input size is a multiple of 2 GiB. The connected SUSE advisory confirms this CVE is addressed in the nodejs24 update to 24.17.0 as part of a rollup that fixes mult...

7.5CVSS6.6AI score0.02806EPSS
CVE
CVE
added 2026/06/26 1:14 a.m.105 views

CVE-2026-48930

CVE-2026-48930 affects Node.js 22.x, 24.x, and 26.x due to a flaw in TLS hostname handling where embedded-nul hostnames cause silent authority rebinding from c-string truncation in resolver bindings. Affected components are within Node.js TLS hostname resolution/verification paths. The vulnerabil...

9.8CVSS6.6AI score0.00405EPSS
CVE
CVE
added 2026/06/26 1:14 a.m.82 views

CVE-2026-48615

Summary: CVE-2026-48615 concerns a flaw in Node.js proxy tunnel error handling that can expose proxy credentials embedded in the proxy URL via the ERR_PROXY_TUNNEL error messages. The leak is tied to error handling paths and could be captured by logs, diagnostics, or other error consumers. Affect...

7.5CVSS6.6AI score0.00437EPSS
CVE
CVE
added 2026/01/20 8:41 p.m.63 views

CVE-2025-59466

Summary: CVE-2025-59466 describes an issue in Node.js error handling where uncatchable stack-overflow crashes occur when async_hooks.createHook() is enabled. The crash bypasses uncaughtException handling and can cause process termination under deep recursion, affecting applications using AsyncLoc...

7.5CVSS6AI score0.00624EPSS
CVE
CVE
added 2026/01/20 8:41 p.m.62 views

CVE-2025-55130

The CVE-2025-55130 entry describes a path traversal bypass in Node.js permission model: crafted relative symlink paths can cause reads/writes outside the allowed directory when --allow-fs-read/--allow-fs-write checks pass, enabling read/write of sensitive files and potential system compromise. Af...

9.1CVSS5.8AI score0.01633EPSS
Web
CVE
CVE
added 2026/01/20 8:41 p.m.51 views

CVE-2026-21637

CVE-2026-21637 is a Node.js TLS handling issue where synchronous exceptions in PSK/ALPN callbacks can bypass tlsClientError/error paths, causing process termination or FD leaks and potential DoS. Connected advisories (ALAS2023-2026-1404, ALAS2023-2026-1402, ALAS2023-2026-1403, CBLMARINER) confirm...

7.5CVSS5.6AI score0.01056EPSS
CVE
CVE
added 2026/06/26 1:14 a.m.49 views

CVE-2026-48619

CVE-2026-48619 describes a flaw in Node.js HTTP/2 client where a server can send an unlimited number of ORIGIN frames, potentially causing an Out of Memory (OOM) on the client. Affected releases are Node.js 22, 24, and 26. The June 2026 security releases provide fixes in updated versions: 22.23.0...

7.5CVSS6.7AI score0.00656EPSS
CVE
CVE
added 2026/06/22 6:59 p.m.49 views

CVE-2026-48931

CVE-2026-48931 describes a flaw in Node.js HTTP Agent where a client may treat a response as valid if it is sent before the client issues a request. Affected are all supported Node.js lines (22, 24, 26). The documented impact is low severity (CVSS v3.0 base score 3.7) with no confidentiality or a...

3.7CVSS5.9AI score0.00371EPSS
CVE
CVE
added 2026/06/26 1:14 a.m.32 views

CVE-2026-48936

CVE-2026-48936: A flaw in the Node.js Permission API can cause a local server to start via a Unix domain socket without the --allow-net permission, affecting the Node.js 26 release line. Connected sources indicate this has been fixed in the nodejs26-26.3.1-1.1 package (openSUSE Tumbleweed) and re...

3.3CVSS6.6AI score0.00154EPSS
CVE
CVE
added 2026/01/20 8:41 p.m.30 views

CVE-2026-21636

CVE-2026-21636 describes a security flaw in Node.js’s Permissions model where Unix Domain Socket (UDS) connections can bypass network restrictions even when --allow-net is not enabled. Attacker-controlled inputs (e.g., URLs or socketPath) could reach arbitrary local sockets via net, tls, or undic...

10CVSS5.8AI score0.00663EPSS
Web
CVE
CVE
added 2026/01/20 8:41 p.m.29 views

CVE-2025-59465

CVE-2025-59465 is observed affecting Node.js packages across multiple Amazon Linux and Fedora advisories. The issue concerns Node.js HTTP/2 server handling of malformed HEADERS frames with oversized HPACK data, leading to a crash via an unhandled TLSSocket error (ECONNRESET) and remote DoS. Affec...

7.5CVSS5.5AI score0.03782EPSS
CVE
CVE
added 2026/01/20 8:41 p.m.28 views

CVE-2025-59464

CVE-2025-59464 describes a memory leak in Node.js OpenSSL integration during conversion of X.509 certificate fields to UTF-8, occurring when applications call socket.getPeerCertificate(true). Each certificate field leaks memory, enabling steady memory growth over TLS connections and potentially c...

7.5CVSS5.5AI score0.0023EPSS
CVE
CVE
added 2026/06/26 1:14 a.m.28 views

CVE-2026-48935

A vulnerability (CVE-2026-48935) in Node.js Permission API can bypass read‑only restrictions via FileHandle.utimes() in the promises API, allowing metadata modification on a read‑only path. Affected releases include Node.js 22, 24, and 26. The issue is addressed in the openSUSE/SUSE patch for nod...

3.3CVSS6.6AI score0.00154EPSS
CVE
CVE
added 2026/01/20 8:41 p.m.27 views

CVE-2025-55132

The Connected documents confirm CVE-2025-55132: Node.js’ fs.futimes() can bypass the Read-Only permission model, allowing modification of file timestamps even when a process has only read access. Affected products are Node.js releases in the 20/22/24/25 lineages. Impact is potential log tampering...

5.3CVSS5.5AI score0.00227EPSS
CVE
CVE
added 2026/06/26 1:14 a.m.24 views

CVE-2026-48934

CVE-2026-48934 affects Node.js releases 22, 24, and 26. The described flaw enables TLS host identity verification bypass when a session is reused with a different servername, leading to possible unauthorized connections . Advisories (SUSE/OpenSUSE) indicate a patch in the nodejs26-26.3.1-1.1 pack...

4.3CVSS6.6AI score0.00258EPSS
CVE
CVE
added 2026/06/26 1:14 a.m.23 views

CVE-2026-48928

CVE-2026-48928 affects Node.js releases 22/24/26. The issue is uppercase SNI context matching causing MTLS authorization bypass due to case-sensitive hostname matching in multi-context mTLS. SUSE indicates this CVE is fixed in nodejs24 update to 24.17.0; remediation is to upgrade to that version ...

5.4CVSS6.6AI score0.00256EPSS