CVE-2026-48615
published 2026-06-26CVE-2026-48615: A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.39%
31.0th percentile
A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages.
When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nodejs | node | 22.22.3 – 22.22.3 | — |
| nodejs | node | 24.16.0 – 24.16.0 | — |
| nodejs | node | 26.3.0 – 26.3.0 | — |
| nodejs | node.js | — | — |
| nodejs | node.js | — | — |
| nodejs | node.js | — | — |
| nodejs | nodejs | — | — |
| nodejs_22 | nodejs | — | — |
| nodejs_24 | nodejs | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling
vendor_redhat·2026-06-26·CVSS 7.5
CVE-2026-48615 [HIGH] CWE-209 nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling
nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling
A flaw was found in Node.js. When proxy credentials are embedded in a proxy URL, an issue in the proxy tunnel error handling can lead to the exposure of these credentials. This information disclosure vulnerability allows an attacker to potentially capture sensitive proxy credentials through logs, diagnostics, or other error-consuming mechanisms.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: nodejs22 (Red Hat Enterprise Linux 10) - Affected
Package: nodejs24 (Red Hat Enterprise Linux 10) -
VulDB
Node.js up to 22.22.3/24.16.0/26.3.0 Error Message private personal information (Nessus ID 323047)
vuldb·2026-06-27·CVSS 7.5
CVE-2026-48615 [HIGH] Node.js up to 22.22.3/24.16.0/26.3.0 Error Message private personal information (Nessus ID 323047)
A vulnerability was found in Node.js up to 22.22.3/24.16.0/26.3.0 and classified as problematic. Affected is an unknown function of the component Error Message Handler. Executing a manipulation can lead to exposure of private personal information to an unauthorized actor.
This vulnerability appears as CVE-2026-48615. The attack may be performed from remote. There is no available exploit.
GHSA
A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages.
ghsa_unreviewed·2026-06-26
CVE-2026-48615 [MEDIUM] CWE-359 A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages.
A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages.
When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-48615 nodejs20: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling [fedora-all]
bugzilla·2026-06-26·CVSS 7.5
CVE-2026-48615 [HIGH] CVE-2026-48615 nodejs20: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling [fedora-all]
CVE-2026-48615 nodejs20: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48615 nodejs22: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling [fedora-all]
bugzilla·2026-06-26·CVSS 7.5
CVE-2026-48615 [HIGH] CVE-2026-48615 nodejs22: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling [fedora-all]
CVE-2026-48615 nodejs22: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48615 nodejs24: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling [fedora-all]
bugzilla·2026-06-26·CVSS 7.5
CVE-2026-48615 [HIGH] CVE-2026-48615 nodejs24: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling [fedora-all]
CVE-2026-48615 nodejs24: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48615 nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling
bugzilla·2026-06-26·CVSS 7.5
CVE-2026-48615 [HIGH] CVE-2026-48615 nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling
CVE-2026-48615 nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling
A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages.
When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
2026-06-26
Published