A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
The error results from C-string truncation in resolver bindings — libraries handling C-style character strings treat the NUL byte (\0) as the end of the string. If an attacker can influence the hostname value containing an embedded NUL byte, the portion of the name after that byte is omitted during TLS verification. As a result, the server identity verification mechanism (hostname validation) may accept a certificate not corresponding to the actual target host, leading to silent redirection of the connection to a different authority without the application's knowledge.
An attacker can cause TLS server identity verification to be bypassed and encrypted traffic to be redirected to an unintended host, enabling interception or manipulation of data transmitted over the connection (man-in-the-middle attack). This results in violation of data confidentiality and integrity as well as the possibility of session hijacking.
Security patches available from the vendor should be applied in accordance with the references — update details are available in the official Node.js security bulletin from June 2026: https://nodejs.org/en/blog/vulnerability/june-2026-security-releases
Node.js 22, Node.js 24, and Node.js 26 — all supported Node.js release lines.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNode.js
APPNodejs22.22.324.16.026.3.0
Related vulnerabilities
Node.js: obejście modelu uprawnień przez Unix Domain Socket
Obejście modelu uprawnień w Node.js poprzez spreparowane symlinki
Command injection w aplikacjach Windows korzystających z CreateProcess
Path traversal w Permission Model Node.js przez monkey-patching Buffer
Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js envir...