17 matches found
CVE-2026-48618
CVE-2026-48618 is a Node.js TLS hostname handling issue involving unicode dot separator handling that can bypass wildcard-depth authentication due to resolver/verifier hostname normalization mismatches. Connected updates confirm the vulnerability affects Node.js 22, 24, and 26 across releases. SU...
CVE-2026-48933
CVE-2026-48933 describes a vulnerability in Node.js WebCrypto where AES processing in subtle.encrypt() can crash the process when the input size is a multiple of 2 GiB. The connected SUSE advisory confirms this CVE is addressed in the nodejs24 update to 24.17.0 as part of a rollup that fixes mult...
CVE-2026-48930
CVE-2026-48930 affects Node.js 22.x, 24.x, and 26.x due to a flaw in TLS hostname handling where embedded-nul hostnames cause silent authority rebinding from c-string truncation in resolver bindings. Affected components are within Node.js TLS hostname resolution/verification paths. The vulnerabil...
CVE-2026-48615
Summary: CVE-2026-48615 concerns a flaw in Node.js proxy tunnel error handling that can expose proxy credentials embedded in the proxy URL via the ERR_PROXY_TUNNEL error messages. The leak is tied to error handling paths and could be captured by logs, diagnostics, or other error consumers. Affect...
CVE-2025-59466
Summary: CVE-2025-59466 describes an issue in Node.js error handling where uncatchable stack-overflow crashes occur when async_hooks.createHook() is enabled. The crash bypasses uncaughtException handling and can cause process termination under deep recursion, affecting applications using AsyncLoc...
CVE-2025-55130
The CVE-2025-55130 entry describes a path traversal bypass in Node.js permission model: crafted relative symlink paths can cause reads/writes outside the allowed directory when --allow-fs-read/--allow-fs-write checks pass, enabling read/write of sensitive files and potential system compromise. Af...
CVE-2026-21637
CVE-2026-21637 is a Node.js TLS handling issue where synchronous exceptions in PSK/ALPN callbacks can bypass tlsClientError/error paths, causing process termination or FD leaks and potential DoS. Connected advisories (ALAS2023-2026-1404, ALAS2023-2026-1402, ALAS2023-2026-1403, CBLMARINER) confirm...
CVE-2026-48619
CVE-2026-48619 describes a flaw in Node.js HTTP/2 client where a server can send an unlimited number of ORIGIN frames, potentially causing an Out of Memory (OOM) on the client. Affected releases are Node.js 22, 24, and 26. The June 2026 security releases provide fixes in updated versions: 22.23.0...
CVE-2026-48931
CVE-2026-48931 describes a flaw in Node.js HTTP Agent where a client may treat a response as valid if it is sent before the client issues a request. Affected are all supported Node.js lines (22, 24, 26). The documented impact is low severity (CVSS v3.0 base score 3.7) with no confidentiality or a...
CVE-2026-48936
CVE-2026-48936: A flaw in the Node.js Permission API can cause a local server to start via a Unix domain socket without the --allow-net permission, affecting the Node.js 26 release line. Connected sources indicate this has been fixed in the nodejs26-26.3.1-1.1 package (openSUSE Tumbleweed) and re...
CVE-2026-21636
CVE-2026-21636 describes a security flaw in Node.js’s Permissions model where Unix Domain Socket (UDS) connections can bypass network restrictions even when --allow-net is not enabled. Attacker-controlled inputs (e.g., URLs or socketPath) could reach arbitrary local sockets via net, tls, or undic...
CVE-2025-59465
CVE-2025-59465 is observed affecting Node.js packages across multiple Amazon Linux and Fedora advisories. The issue concerns Node.js HTTP/2 server handling of malformed HEADERS frames with oversized HPACK data, leading to a crash via an unhandled TLSSocket error (ECONNRESET) and remote DoS. Affec...
CVE-2025-59464
CVE-2025-59464 describes a memory leak in Node.js OpenSSL integration during conversion of X.509 certificate fields to UTF-8, occurring when applications call socket.getPeerCertificate(true). Each certificate field leaks memory, enabling steady memory growth over TLS connections and potentially c...
CVE-2026-48935
A vulnerability (CVE-2026-48935) in Node.js Permission API can bypass read‑only restrictions via FileHandle.utimes() in the promises API, allowing metadata modification on a read‑only path. Affected releases include Node.js 22, 24, and 26. The issue is addressed in the openSUSE/SUSE patch for nod...
CVE-2025-55132
The Connected documents confirm CVE-2025-55132: Node.js’ fs.futimes() can bypass the Read-Only permission model, allowing modification of file timestamps even when a process has only read access. Affected products are Node.js releases in the 20/22/24/25 lineages. Impact is potential log tampering...
CVE-2026-48934
CVE-2026-48934 affects Node.js releases 22, 24, and 26. The described flaw enables TLS host identity verification bypass when a session is reused with a different servername, leading to possible unauthorized connections . Advisories (SUSE/OpenSUSE) indicate a patch in the nodejs26-26.3.1-1.1 pack...
CVE-2026-48928
CVE-2026-48928 affects Node.js releases 22/24/26. The issue is uppercase SNI context matching causing MTLS authorization bypass due to case-sensitive hostname matching in multi-context mTLS. SUSE indicates this CVE is fixed in nodejs24 update to 24.17.0; remediation is to upgrade to that version ...