CVE-2026-48615

NameCVE-2026-48615
DescriptionA flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)bullseye12.22.12~dfsg-1~deb11u4vulnerable
bullseye (security)12.22.12~dfsg-1~deb11u8vulnerable
bookworm18.20.4+dfsg-1~deb12u1vulnerable
bookworm (security)18.20.4+dfsg-1~deb12u2vulnerable
trixie, trixie (security)20.19.2+dfsg-1+deb13u2vulnerable
forky, sid24.18.0+dfsg+~cs24.13.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nodejssource(unstable)24.17.0+dfsg+~cs24.13.2-1

Notes

https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#proxy-credentials-leaked-in-err_proxy_tunnel-error-message-cve-2026-48615---medium
https://github.com/nodejs/node/commit/9b6af26132f6e87659ce360e6a59f42a03ff1701 (v22.23.0)

Search for package or bug name: Reporting problems