CVE-2026-48619

A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
References
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nodejs:node.js:22.22.3:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:24.16.0:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:26.3.0:*:*:*:-:*:*:*

History

26 Jun 2026, 20:18

Type Values Removed Values Added
References () https://nodejs.org/en/blog/vulnerability/june-2026-security-releases - () https://nodejs.org/en/blog/vulnerability/june-2026-security-releases - Patch, Vendor Advisory
CVSS v2 : unknown
v3 : 5.3
v2 : unknown
v3 : 7.5
CPE cpe:2.3:a:nodejs:node.js:22.22.3:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:26.3.0:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:24.16.0:*:*:*:-:*:*:*
First Time Nodejs
Nodejs node.js

26 Jun 2026, 02:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-26 02:16

Updated : 2026-06-26 20:18


NVD link : CVE-2026-48619

Mitre link : CVE-2026-48619

CVE.ORG link : CVE-2026-48619


JSON object : View

Products Affected

nodejs

  • node.js
CWE
CWE-400

Uncontrolled Resource Consumption