A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages.
When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
References
| Link | Resource |
|---|---|
| https://nodejs.org/en/blog/vulnerability/june-2026-security-releases | Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
26 Jun 2026, 20:18
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Nodejs
Nodejs node.js |
|
| CPE | cpe:2.3:a:nodejs:node.js:22.22.3:*:*:*:-:*:*:* cpe:2.3:a:nodejs:node.js:26.3.0:*:*:*:-:*:*:* cpe:2.3:a:nodejs:node.js:24.16.0:*:*:*:-:*:*:* |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
| References | () https://nodejs.org/en/blog/vulnerability/june-2026-security-releases - Patch, Vendor Advisory |
26 Jun 2026, 02:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-26 02:16
Updated : 2026-06-26 20:18
NVD link : CVE-2026-48615
Mitre link : CVE-2026-48615
CVE.ORG link : CVE-2026-48615
JSON object : View
Products Affected
nodejs
- node.js
CWE
CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
