Security
Node.js ships coordinated security releases patching 11 CVEs
- Category: Security
- Status: confirmed
- Sources: Node.js v26.3.1 release
- Summary: Node.js published coordinated security releases on 2026-06-18 at 04:37 UTC across its maintained lines: v26.3.1 (Current) and the LTS lines v24.17.0 and v22.23.0. They patch 11 CVEs, two rated High: CVE-2026-48618, where the TLS server-identity check failed to normalize the hostname, and CVE-2026-48933, a missing output-length guard in the WebCrypto cipher path. Medium-severity fixes cover case-sensitive TLS SNI context matching (CVE-2026-48928), binding reusable TLS sessions to the authenticated host (CVE-2026-48934), unbounded HTTP/2 originSet memory growth (CVE-2026-48619), rejection of hostnames with embedded NUL bytes in dns and net (CVE-2026-48930), and redaction of proxy credentials in tunnel errors (CVE-2026-48615). Low-severity fixes harden the permission model and fix response-queue poisoning in http.Agent (CVE-2026-48931). The releases also bundle OpenSSL 3.5.7, llhttp 9.4.2, and undici 8.5.0. No active exploitation was reported at release.
- Why it matters: The TLS hostname-verification and WebCrypto fixes affect any Node service that terminates or initiates TLS, so operators should move to the patched runtime on every maintained line.
- Follow-up: Track any exploitation reports and the next scheduled releases for downstream container base images.