Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Unrated

TLS hostname verification authentication bypass in Node.js Unicode dot separator handling

IdentifiersCVE-2026-48618CWE-295

CVE-2026-48618 is a high-severity vulnerability in Node.js TLS hostname verification affecting the supported 22.x, 24.x, and 26.x release lines. The flaw is caused by improper handling of Unicode dot separators during hostname normalization, creating a mismatch between how the hostname is normalized by the resolver and by the certificate verifier. Under affected configurations, this normalization inconsistency can allow wildcard-depth checks in TLS hostname validation to be bypassed, resulting in an authentication bypass or failure of the intended host identity verification boundary.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow an attacker to bypass TLS wildcard-based hostname authentication and defeat the intended certificate identity verification boundary. This may permit spoofing of trusted endpoints or acceptance of a certificate for an unintended host, with resulting confidentiality impact and security-boundary bypass in affected deployments.

Mitigation

If you can’t patch tonight, do this now.

Until upgrades are completed, reduce exposure by avoiding reliance on vulnerable Node.js TLS hostname verification behavior in security-sensitive trust decisions, especially where wildcard certificates and hostname-based trust boundaries are used. Limit connections to strictly controlled endpoints, prefer explicit certificate pinning or additional out-of-band identity validation where operationally feasible, and review configurations that depend on wildcard hostname matching. These are temporary risk-reduction measures; patching is the primary mitigation.

Remediation

Patch, then assume compromise.

Upgrade Node.js to a fixed release in the supported lines. The provided content identifies fixed versions as v22.23.0, v24.17.0, and v26.3.1 in the June 18, 2026 security release; other referenced reporting also cites later patched builds v22.23.1, v24.17.1, and v26.3.2. Use the latest available patched release for the relevant supported branch. End-of-life Node.js versions remain vulnerable and should not be used in production.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

16 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity13

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-48618
NVD
nvd.nist.gov/vuln/detail/CVE-2026-48618
MITRE CWE · CWE-295
cwe.mitre.org