CVE-2026-48615

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
References
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nodejs:node.js:22.22.3:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:24.16.0:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:26.3.0:*:*:*:-:*:*:*

History

26 Jun 2026, 20:18

Type Values Removed Values Added
First Time Nodejs
Nodejs node.js
CPE cpe:2.3:a:nodejs:node.js:22.22.3:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:26.3.0:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:24.16.0:*:*:*:-:*:*:*
CVSS v2 : unknown
v3 : 5.9
v2 : unknown
v3 : 7.5
References () https://nodejs.org/en/blog/vulnerability/june-2026-security-releases - () https://nodejs.org/en/blog/vulnerability/june-2026-security-releases - Patch, Vendor Advisory

26 Jun 2026, 02:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-26 02:16

Updated : 2026-06-26 20:18


NVD link : CVE-2026-48615

Mitre link : CVE-2026-48615

CVE.ORG link : CVE-2026-48615


JSON object : View

Products Affected

nodejs

  • node.js
CWE
CWE-359

Exposure of Private Personal Information to an Unauthorized Actor