CRITICAL🇵🇱 Wersja polska

CVE-2026-48930

CVSS 9.8v3.0pub. 2026-06-26

A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

🤖 AI Analysis
How it works

The error results from C-string truncation in resolver bindings — libraries handling C-style character strings treat the NUL byte (\0) as the end of the string. If an attacker can influence the hostname value containing an embedded NUL byte, the portion of the name after that byte is omitted during TLS verification. As a result, the server identity verification mechanism (hostname validation) may accept a certificate not corresponding to the actual target host, leading to silent redirection of the connection to a different authority without the application's knowledge.

Impact

An attacker can cause TLS server identity verification to be bypassed and encrypted traffic to be redirected to an unintended host, enabling interception or manipulation of data transmitted over the connection (man-in-the-middle attack). This results in violation of data confidentiality and integrity as well as the possibility of session hijacking.

Mitigation & patch

Security patches available from the vendor should be applied in accordance with the references — update details are available in the official Node.js security bulletin from June 2026: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases

Who is affected

Node.js 22, Node.js 24, and Node.js 26 — all supported Node.js release lines.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Node.js

    APP
    Nodejs
    22.22.324.16.026.3.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-21636CRITICAL10.0PL ✓ten sam produkt

Node.js: obejście modelu uprawnień przez Unix Domain Socket

CVE-2025-55130CRITICAL9.1PL ✓ten sam produkt

Obejście modelu uprawnień w Node.js poprzez spreparowane symlinki

CVE-2024-3566CRITICAL9.8PL ✓ten sam produkt

Command injection w aplikacjach Windows korzystających z CreateProcess

CVE-2024-21896CRITICAL9.8PL ✓ten sam produkt

Path traversal w Permission Model Node.js przez monkey-patching Buffer

CVE-2023-39332CRITICAL9.8ten sam produkt

Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js envir...