Vulnerability-Lookup

RHSA-2026:28727

Vulnerability from csaf_redhat - Published: 2026-06-24 03:33 - Updated: 2026-06-27 08:44

Summary

Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

Severity

Important

Notes

Topic: An update for Red Hat Hardened Images RPMs is now available.

Details: This update includes the following RPMs: nodejs22: * nodejs22-22.23.1-1.hum1 (aarch64, x86_64) * nodejs22-bin-22.23.1-1.hum1 (noarch) * nodejs22-devel-22.23.1-1.hum1 (aarch64, x86_64) * nodejs22-docs-22.23.1-1.hum1 (noarch) * nodejs22-full-i18n-22.23.1-1.hum1 (aarch64, x86_64) * nodejs22-libs-22.23.1-1.hum1 (aarch64, x86_64) * nodejs22-npm-10.9.8-1.22.23.1.1.hum1 (noarch) * nodejs22-npm-bin-22.23.1-1.hum1 (noarch) * v8-12.4-devel-12.4.254.21-1.22.23.1.1.hum1 (aarch64, x86_64) * nodejs22-22.23.1-1.hum1.src (src)

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-48615

A flaw was found in Node.js. When proxy credentials are embedded in a proxy URL, an issue in the proxy tunnel error handling can lead to the exposure of these credentials. This information disclosure vulnerability allows an attacker to potentially capture sensitive proxy credentials through logs, diagnostics, or other error-consuming mechanisms.

5.9 (Medium)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-209 - Generation of Error Message Containing Sensitive Information

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:nodejs22-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2026-48618

A flaw was found in Node.js. This flaw involves a mismatch in how Node.js handles TLS (Transport Layer Security) hostnames and unicode dot separators during authentication. This mismatch can lead to a wildcard-depth authentication bypass. An attacker could exploit this to bypass intended security boundaries, potentially leading to unauthorized access and confidentiality impact.

7.7 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE-289 - Authentication Bypass by Alternate Name

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:nodejs22-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-48933

A flaw was found in the Node.js WebCrypto implementation. A remote attacker could exploit this vulnerability by providing an input to the `subtle.encrypt()` function that is a multiple of 2 gigabytes (GiB). This could lead to a denial of service (DoS) by crashing the Node.js process.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:nodejs22-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:nodejs22-main@noarch	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:nodejs22-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:nodejs22-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Important

References

20 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:28727	self
https://images.redhat.com/	external
https://access.redhat.com/security/cve/CVE-2026-48618	external
https://access.redhat.com/security/updates/classi…	external
https://access.redhat.com/security/cve/CVE-2026-48933	external
https://access.redhat.com/security/cve/CVE-2026-48615	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-48615	self
https://bugzilla.redhat.com/show_bug.cgi?id=2493335	external
https://www.cve.org/CVERecord?id=CVE-2026-48615	external
https://nvd.nist.gov/vuln/detail/CVE-2026-48615	external
https://nodejs.org/en/blog/vulnerability/june-202…	external
https://access.redhat.com/security/cve/CVE-2026-48618	self
https://bugzilla.redhat.com/show_bug.cgi?id=2493337	external
https://www.cve.org/CVERecord?id=CVE-2026-48618	external
https://nvd.nist.gov/vuln/detail/CVE-2026-48618	external
https://access.redhat.com/security/cve/CVE-2026-48933	self
https://bugzilla.redhat.com/show_bug.cgi?id=2493331	external
https://www.cve.org/CVERecord?id=CVE-2026-48933	external
https://nvd.nist.gov/vuln/detail/CVE-2026-48933	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Red Hat Hardened Images RPMs is now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This update includes the following RPMs:\n\nnodejs22:\n  * nodejs22-22.23.1-1.hum1 (aarch64, x86_64)\n  * nodejs22-bin-22.23.1-1.hum1 (noarch)\n  * nodejs22-devel-22.23.1-1.hum1 (aarch64, x86_64)\n  * nodejs22-docs-22.23.1-1.hum1 (noarch)\n  * nodejs22-full-i18n-22.23.1-1.hum1 (aarch64, x86_64)\n  * nodejs22-libs-22.23.1-1.hum1 (aarch64, x86_64)\n  * nodejs22-npm-10.9.8-1.22.23.1.1.hum1 (noarch)\n  * nodejs22-npm-bin-22.23.1-1.hum1 (noarch)\n  * v8-12.4-devel-12.4.254.21-1.22.23.1.1.hum1 (aarch64, x86_64)\n  * nodejs22-22.23.1-1.hum1.src (src)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:28727",
        "url": "https://access.redhat.com/errata/RHSA-2026:28727"
      },
      {
        "category": "external",
        "summary": "https://images.redhat.com/",
        "url": "https://images.redhat.com/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-48618",
        "url": "https://access.redhat.com/security/cve/CVE-2026-48618"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-48933",
        "url": "https://access.redhat.com/security/cve/CVE-2026-48933"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-48615",
        "url": "https://access.redhat.com/security/cve/CVE-2026-48615"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_28727.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
    "tracking": {
      "current_release_date": "2026-06-27T08:44:55+00:00",
      "generator": {
        "date": "2026-06-27T08:44:55+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.2.6"
        }
      },
      "id": "RHSA-2026:28727",
      "initial_release_date": "2026-06-24T03:33:43+00:00",
      "revision_history": [
        {
          "date": "2026-06-24T03:33:43+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-27T00:14:47+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-27T08:44:55+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Hardened Images",
                "product": {
                  "name": "Red Hat Hardened Images",
                  "product_id": "Red Hat Hardened Images",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:hummingbird:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Hardened Images"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nodejs22-main@aarch64",
                "product": {
                  "name": "nodejs22-main@aarch64",
                  "product_id": "nodejs22-main@aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs22@22.23.1-1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nodejs22-main@src",
                "product": {
                  "name": "nodejs22-main@src",
                  "product_id": "nodejs22-main@src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs22@22.23.1-1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nodejs22-main@x86_64",
                "product": {
                  "name": "nodejs22-main@x86_64",
                  "product_id": "nodejs22-main@x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs22@22.23.1-1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nodejs22-main@noarch",
                "product": {
                  "name": "nodejs22-main@noarch",
                  "product_id": "nodejs22-main@noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/nodejs22-bin@22.23.1-1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs22-main@aarch64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:nodejs22-main@aarch64"
        },
        "product_reference": "nodejs22-main@aarch64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs22-main@noarch as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:nodejs22-main@noarch"
        },
        "product_reference": "nodejs22-main@noarch",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs22-main@src as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:nodejs22-main@src"
        },
        "product_reference": "nodejs22-main@src",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nodejs22-main@x86_64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:nodejs22-main@x86_64"
        },
        "product_reference": "nodejs22-main@x86_64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-48615",
      "cwe": {
        "id": "CWE-209",
        "name": "Generation of Error Message Containing Sensitive Information"
      },
      "discovery_date": "2026-06-26T02:01:59.112093+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2493335"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Node.js. When proxy credentials are embedded in a proxy URL, an issue in the proxy tunnel error handling can lead to the exposure of these credentials. This information disclosure vulnerability allows an attacker to potentially capture sensitive proxy credentials through logs, diagnostics, or other error-consuming mechanisms.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:nodejs22-main@aarch64",
          "Red Hat Hardened Images:nodejs22-main@noarch",
          "Red Hat Hardened Images:nodejs22-main@src",
          "Red Hat Hardened Images:nodejs22-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-48615"
        },
        {
          "category": "external",
          "summary": "RHBZ#2493335",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493335"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-48615",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48615"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48615",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48615"
        },
        {
          "category": "external",
          "summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
          "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
        }
      ],
      "release_date": "2026-06-26T01:14:36.524000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-24T03:33:43+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:nodejs22-main@aarch64",
            "Red Hat Hardened Images:nodejs22-main@noarch",
            "Red Hat Hardened Images:nodejs22-main@src",
            "Red Hat Hardened Images:nodejs22-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:28727"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Hardened Images:nodejs22-main@aarch64",
            "Red Hat Hardened Images:nodejs22-main@noarch",
            "Red Hat Hardened Images:nodejs22-main@src",
            "Red Hat Hardened Images:nodejs22-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat Hardened Images:nodejs22-main@aarch64",
            "Red Hat Hardened Images:nodejs22-main@noarch",
            "Red Hat Hardened Images:nodejs22-main@src",
            "Red Hat Hardened Images:nodejs22-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling"
    },
    {
      "cve": "CVE-2026-48618",
      "cwe": {
        "id": "CWE-289",
        "name": "Authentication Bypass by Alternate Name"
      },
      "discovery_date": "2026-06-26T02:02:10.741725+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2493337"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Node.js. This flaw involves a mismatch in how Node.js handles TLS (Transport Layer Security) hostnames and unicode dot separators during authentication. This mismatch can lead to a wildcard-depth authentication bypass. An attacker could exploit this to bypass intended security boundaries, potentially leading to unauthorized access and confidentiality impact.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This Important flaw in Node.js allows for a TLS wildcard-depth authentication bypass due to a mismatch in how hostnames and unicode dot separators are handled during authentication. This could enable an attacker to circumvent security boundaries, potentially leading to unauthorized access and compromise of sensitive information in applications utilizing Node.js for TLS connections. The issue affects Node.js versions 22, 24, and 26 as shipped in Red Hat products.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:nodejs22-main@aarch64",
          "Red Hat Hardened Images:nodejs22-main@noarch",
          "Red Hat Hardened Images:nodejs22-main@src",
          "Red Hat Hardened Images:nodejs22-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-48618"
        },
        {
          "category": "external",
          "summary": "RHBZ#2493337",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493337"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-48618",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48618"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48618",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48618"
        },
        {
          "category": "external",
          "summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
          "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
        }
      ],
      "release_date": "2026-06-26T01:14:36.868000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-24T03:33:43+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:nodejs22-main@aarch64",
            "Red Hat Hardened Images:nodejs22-main@noarch",
            "Red Hat Hardened Images:nodejs22-main@src",
            "Red Hat Hardened Images:nodejs22-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:28727"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Hardened Images:nodejs22-main@aarch64",
            "Red Hat Hardened Images:nodejs22-main@noarch",
            "Red Hat Hardened Images:nodejs22-main@src",
            "Red Hat Hardened Images:nodejs22-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat Hardened Images:nodejs22-main@aarch64",
            "Red Hat Hardened Images:nodejs22-main@noarch",
            "Red Hat Hardened Images:nodejs22-main@src",
            "Red Hat Hardened Images:nodejs22-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch"
    },
    {
      "cve": "CVE-2026-48933",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-06-26T02:01:39.107538+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2493331"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Node.js WebCrypto implementation. A remote attacker could exploit this vulnerability by providing an input to the `subtle.encrypt()` function that is a multiple of 2 gigabytes (GiB). This could lead to a denial of service (DoS) by crashing the Node.js process.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt()",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important denial of service vulnerability in Node.js WebCrypto, as a remote attacker can crash the Node.js process by providing a specially crafted large input to the `subtle.encrypt()` function. This could lead to service unavailability in Red Hat environments where Node.js applications process untrusted data with WebCrypto.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:nodejs22-main@aarch64",
          "Red Hat Hardened Images:nodejs22-main@noarch",
          "Red Hat Hardened Images:nodejs22-main@src",
          "Red Hat Hardened Images:nodejs22-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-48933"
        },
        {
          "category": "external",
          "summary": "RHBZ#2493331",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493331"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-48933",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48933"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48933",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48933"
        },
        {
          "category": "external",
          "summary": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
          "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
        }
      ],
      "release_date": "2026-06-26T01:14:36.823000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-24T03:33:43+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:nodejs22-main@aarch64",
            "Red Hat Hardened Images:nodejs22-main@noarch",
            "Red Hat Hardened Images:nodejs22-main@src",
            "Red Hat Hardened Images:nodejs22-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:28727"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Hardened Images:nodejs22-main@aarch64",
            "Red Hat Hardened Images:nodejs22-main@noarch",
            "Red Hat Hardened Images:nodejs22-main@src",
            "Red Hat Hardened Images:nodejs22-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:nodejs22-main@aarch64",
            "Red Hat Hardened Images:nodejs22-main@noarch",
            "Red Hat Hardened Images:nodejs22-main@src",
            "Red Hat Hardened Images:nodejs22-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt()"
    }
  ]
}

CVE-2026-48615 (GCVE-0-2026-48615)

Vulnerability from cvelistv5 – Published: 2026-06-26 01:14 – Updated: 2026-06-26 13:35

Summary

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Severity

5.9 (Medium)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-359 - Privacy Violation

Assigner

hackerone

References

1 reference

URL	Tags
https://nodejs.org/en/blog/vulnerability/june-202…

Impacted products

1 product

Vendor	Product	Version
nodejs	node	Affected: 22.22.3 , ≤ 22.22.3 (semver) Affected: 24.16.0 , ≤ 24.16.0 (semver) Affected: 26.3.0 , ≤ 26.3.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48615",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-26T13:34:45.532887Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T13:35:00.592Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "node",
          "vendor": "nodejs",
          "versions": [
            {
              "lessThanOrEqual": "22.22.3",
              "status": "affected",
              "version": "22.22.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "24.16.0",
              "status": "affected",
              "version": "24.16.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "26.3.0",
              "status": "affected",
              "version": "26.3.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages.\r\n\r\nWhen proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-359",
              "description": "CWE-359 Privacy Violation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-26T01:14:36.524Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2026-48615",
    "datePublished": "2026-06-26T01:14:36.524Z",
    "dateReserved": "2026-05-22T15:00:09.276Z",
    "dateUpdated": "2026-06-26T13:35:00.592Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48618 (GCVE-0-2026-48618)

Vulnerability from cvelistv5 – Published: 2026-06-26 01:14 – Updated: 2026-06-26 15:10

Summary

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Severity

7.7 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-176 - Improper Handling of Unicode Encoding

Assigner

hackerone

References

1 reference

URL	Tags
https://nodejs.org/en/blog/vulnerability/june-202…

Impacted products

1 product

Vendor	Product	Version
nodejs	node	Affected: 22.22.3 , ≤ 22.22.3 (semver) Affected: 24.16.0 , ≤ 24.16.0 (semver) Affected: 26.3.0 , ≤ 26.3.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48618",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-26T15:10:27.583362Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T15:10:40.049Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "node",
          "vendor": "nodejs",
          "versions": [
            {
              "lessThanOrEqual": "22.22.3",
              "status": "affected",
              "version": "22.22.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "24.16.0",
              "status": "affected",
              "version": "24.16.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "26.3.0",
              "status": "affected",
              "version": "26.3.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.\r\n\r\nThis can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-176",
              "description": "CWE-176 Improper Handling of Unicode Encoding",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-26T01:14:36.868Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2026-48618",
    "datePublished": "2026-06-26T01:14:36.868Z",
    "dateReserved": "2026-05-22T15:00:09.276Z",
    "dateUpdated": "2026-06-26T15:10:40.049Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48933 (GCVE-0-2026-48933)

Vulnerability from cvelistv5 – Published: 2026-06-26 01:14 – Updated: 2026-06-26 15:06

Summary

A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Severity

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-190 - Integer Overflow

Assigner

hackerone

References

1 reference

URL	Tags
https://nodejs.org/en/blog/vulnerability/june-202…

Impacted products

1 product

Vendor	Product	Version
nodejs	node	Affected: 22.22.3 , ≤ 22.22.3 (semver) Affected: 24.16.0 , ≤ 24.16.0 (semver) Affected: 26.3.0 , ≤ 26.3.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48933",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-26T15:05:58.547904Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T15:06:12.149Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "node",
          "vendor": "nodejs",
          "versions": [
            {
              "lessThanOrEqual": "22.22.3",
              "status": "affected",
              "version": "22.22.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "24.16.0",
              "status": "affected",
              "version": "24.16.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "26.3.0",
              "status": "affected",
              "version": "26.3.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190 Integer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-26T01:14:36.823Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2026-48933",
    "datePublished": "2026-06-26T01:14:36.823Z",
    "dateReserved": "2026-05-26T15:00:06.427Z",
    "dateUpdated": "2026-06-26T15:06:12.149Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:28727

CVE-2026-48615 (GCVE-0-2026-48615)

CVE-2026-48618 (GCVE-0-2026-48618)

CVE-2026-48933 (GCVE-0-2026-48933)

Tags

Sightings

Nomenclature