A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.
This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
References
| Link | Resource |
|---|---|
| https://nodejs.org/en/blog/vulnerability/june-2026-security-releases | Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
26 Jun 2026, 20:18
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:nodejs:node.js:22.22.3:*:*:*:-:*:*:* cpe:2.3:a:nodejs:node.js:26.3.0:*:*:*:-:*:*:* cpe:2.3:a:nodejs:node.js:24.16.0:*:*:*:-:*:*:* |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
| References | () https://nodejs.org/en/blog/vulnerability/june-2026-security-releases - Patch, Vendor Advisory | |
| First Time |
Nodejs
Nodejs node.js |
26 Jun 2026, 02:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-26 02:16
Updated : 2026-06-26 20:18
NVD link : CVE-2026-48618
Mitre link : CVE-2026-48618
CVE.ORG link : CVE-2026-48618
JSON object : View
Products Affected
nodejs
- node.js
CWE
CWE-176
Improper Handling of Unicode Encoding
