Node.js Patches 12 Flaws Including TLS Authentication Bypass and WebCrypto DoS
The Node.js project released security updates across its supported 22.x, 24.x, and 26.x lines to fix 12 vulnerabilities, including two high-severity issues that prompted calls for immediate patching. The most serious bugs are CVE-2026-48618, a TLS hostname verification flaw caused by improper handling of Unicode dot separators that can lead to authentication bypass, and CVE-2026-48933, a WebCrypto AES integer overflow that can crash processes and enable remote denial-of-service. The releases were announced for all active Node.js lines through the project’s coordinated June security update process and public notices on the oss-sec mailing list.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security issues Node.js advisory AV26-624
On 2026-06-22, the Canadian Centre for Cyber Security published advisory AV26-624 about the Node.js security releases issued on June 18. The notice identified affected versions in the 22.x, 24.x, and 26.x lines and urged users and administrators to review the release information and apply the updates.
Node.js releases June 2026 security updates for supported lines
On June 18, 2026, Node.js released security updates for its supported 22.x, 24.x, and 26.x release lines to address 12 vulnerabilities. Reported issues included high-severity flaws such as CVE-2026-48618 and CVE-2026-48933, along with additional fixes affecting TLS, HTTP/2, proxy handling, permissions, and related components.
Node.js announces planned June 2026 security releases
An earlier Node.js notice stated that new versions of all supported release lines were intended to be released on or shortly after June 17, 2026.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Nodejs security advisory (AV26-624) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceNode.js Multiple Vulnerabilities
hkcert.org
Open sourceNode.js Fixes 12 Vulnerabilities, Including 2 High-Severity Authentication Bypasses
cybersecuritynews.com
Open sourceNode.js Security Updates: Patch Critical Flaws Now
securityonline.info
Open sourceTags · nodejs/node · GitHub
github.com
Open sourceoss-sec: Fwd: Node.js security updates for all active release lines, June 2026
seclists.org
Open sourceoss-sec: Re: Fwd: Node.js security updates for all active release lines, June 2026
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Node.js patches high-severity DoS flaws in TLS and HTTP request handling
Node.js released security updates for supported 20.x, 22.x, 24.x, and 25.x branches to fix **two high-severity**, **five medium-severity**, and **two low-severity** vulnerabilities, with patched versions issued as `v20.20.2`, `v22.22.2`, `v24.14.1`, and `v25.8.2`. The most serious bug, `CVE-2026-21637`, was an incomplete fix in TLS `SNICallback` handling that could be triggered remotely to cause an uncaught exception and crash affected processes. A second high-severity issue, `CVE-2026-21710`, allowed specially crafted HTTP requests using a `__proto__` header name to trigger a denial of service when applications accessed `req.headersDistinct`. The release also addressed Permission Model bypasses, a native crash in URL formatting, a timing side-channel in HMAC verification, an HTTP/2 flow-control memory leak that could lead to memory exhaustion, and a V8 **HashDoS** weakness; Node.js also updated the `undici` dependency on 22.x, 24.x, and 25.x to remediate public vulnerabilities. Debian published a corresponding `nodejs` security update, and the Canadian Centre for Cyber Security urged administrators to review vendor guidance and apply the patched releases, with internet-facing TLS servers identified as the highest-priority systems for remediation.
Jun 10, 2026
Security Patches and Vulnerability Disclosures in Deno, glibc, and Go
Multiple upstream language/runtime and core library projects disclosed and/or patched significant vulnerabilities affecting widely deployed developer and production environments. **Deno** reported two issues: **CVE-2026-22863** (CVSS 9.2) in the `node:crypto` compatibility layer where `cipher.final()` fails to properly finalize/close cipher state, enabling “infinite encryptions” that could aid attacks aimed at learning server secrets; and **CVE-2026-22864**, a Windows-specific command execution weakness involving a bypass in `Deno.Command` protections when executing batch files, undermining intended shell-injection safeguards. **glibc** maintainers disclosed **CVE-2026-0861** (CVSS 8.4), an integer overflow in `memalign`, `posix_memalign`, and `aligned_alloc` affecting versions 2.30–2.42 that can lead to heap corruption when an attacker can control unusually large `size` values and alignment parameters, and **CVE-2026-0915**, a decades-old information leak in `getnetbyaddr`/`getnetbyaddr_r` affecting versions 2.0–2.42 that can expose uninitialized stack contents to DNS backends when querying a zero-valued network. Separately, the **Go** team released security updates (*Go* 1.25.6 and 1.24.12) addressing six vulnerabilities across the standard library (e.g., `archive/zip`, `net/http`, `crypto/tls`) and the toolchain, including a ZIP-processing CPU-exhaustion DoS (**CVE-2025-61728**) and toolchain issues that could enable command execution in certain developer/build scenarios; organizations running Go services or CI/build pipelines were advised to upgrade to the patched releases.
May 8, 2026
Critical vm2 Sandbox Escapes Expose Node.js Hosts to Arbitrary Code Execution
Researchers disclosed a broad set of critical flaws in the `vm2` Node.js sandbox library that allow untrusted JavaScript to break isolation and execute arbitrary code on the host system. Reports describe 11 to 12 vulnerabilities affecting versions across the `3.9.6` to `3.11.1` range, with most rated `CVSS 9.8` to `10.0`, and impacting core protections such as built-in allowlists, object handling, prototype traversal, Promise species behavior, `util.inspect`, `Module._load()`, WebAssembly exception handling, and unsafe `nesting: true` configurations. One tracked issue, **CVE-2026-24118**, is a sandbox breakout through `__lookupGetter__` in versions prior to `3.11.0`, enabling host-level command execution with no privileges or user interaction. The disclosures reinforce long-running concerns that `vm2`'s JavaScript-only isolation model is not dependable for high-risk use cases such as multi-tenant code execution, plugin evaluation, automated grading, and serverless workloads. While some reports recommend upgrading to **vm2 `3.11.2`** for the latest protections, others note that **CVE-2026-44008** and **CVE-2026-44009** remain unpatched and argue that organizations handling untrusted code should consider stronger isolation boundaries such as containers or microVMs. Successful exploitation could expose environment variables, credentials, and files, and enable full compromise of the underlying Node.js host and potential lateral movement.
May 15, 2026