A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups.
This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
{
"cpes": [
"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*"
],
"severity": "Medium"
}