CVE-2026-48618

NameCVE-2026-48618
DescriptionA flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)bullseye12.22.12~dfsg-1~deb11u4vulnerable
bullseye (security)12.22.12~dfsg-1~deb11u8vulnerable
bookworm18.20.4+dfsg-1~deb12u1vulnerable
bookworm (security)18.20.4+dfsg-1~deb12u2vulnerable
trixie (security), trixie20.19.2+dfsg-1+deb13u2vulnerable
forky, sid24.18.0+dfsg+~cs24.13.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nodejssource(unstable)24.17.0+dfsg+~cs24.13.2-1

Notes

https://nodejs.org/en/blog/vulnerability/june-2026-security-releases#nodejs-unicode-dot-separator-handling-can-lead-to-tls-wildcard-depth-authentication-bypass-due-to-resolver-and-verifier-hostname-normalization-mismat-cve-2026-48618---high
https://github.com/nodejs/node/commit/2197a47144f3356ab451c5dcd858a49eb5957a70 (v22.23.0)

Search for package or bug name: Reporting problems