CVE-2026-48618

Source
https://cve.org/CVERecord?id=CVE-2026-48618
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48618.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-48618
Aliases
Downstream
Related
Published
2026-06-26T01:14:36.868Z
Modified
2026-07-08T08:13:38.091352680Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.

This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48618.json",
    "cna_assigner": "hackerone",
    "cwe_ids": [
        "CWE-176"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "22.22.3"
                },
                {
                    "last_affected": "22.22.3"
                },
                {
                    "introduced": "24.16.0"
                },
                {
                    "last_affected": "24.16.0"
                },
                {
                    "introduced": "26.3.0"
                },
                {
                    "last_affected": "26.3.0"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type
GIT
Repo
https://github.com/nodejs/node
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:nodejs:node.js:22.22.3:*:*:*:-:*:*:*",
        "cpe:2.3:a:nodejs:node.js:24.16.0:*:*:*:-:*:*:*",
        "cpe:2.3:a:nodejs:node.js:26.3.0:*:*:*:-:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "22.22.3"
        },
        {
            "last_affected": "22.22.3"
        },
        {
            "introduced": "24.16.0"
        },
        {
            "last_affected": "24.16.0"
        },
        {
            "introduced": "26.3.0"
        },
        {
            "last_affected": "26.3.0"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

22.*
22.22.3
24.*
24.16.0
26.*
26.3.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48618.json"