CVE-2026-48619
published 2026-06-26CVE-2026-48619: A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.58%
43.2th percentile
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nodejs | node | 22.22.3 – 22.22.3 | — |
| nodejs | node | 24.16.0 – 24.16.0 | — |
| nodejs | node | 26.3.0 – 26.3.0 | — |
| nodejs | node.js | — | — |
| nodejs | node.js | — | — |
| nodejs | node.js | — | — |
| nodejs | nodejs | — | — |
| nodejs_22 | nodejs | — | — |
| nodejs_24 | nodejs | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Node.js up to 22.22.3/24.16.0/26.3.0 resource consumption (Nessus ID 323047)
vuldb·2026-06-27·CVSS 7.5
CVE-2026-48619 [HIGH] Node.js up to 22.22.3/24.16.0/26.3.0 resource consumption (Nessus ID 323047)
A vulnerability has been found in Node.js up to 22.22.3/24.16.0/26.3.0 and classified as problematic. This impacts an unknown function. Performing a manipulation results in resource consumption.
This vulnerability is reported as CVE-2026-48619. The attack is possible to be carried out remotely. No exploit exists.
GHSA
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.
ghsa_unreviewed·2026-06-26
CVE-2026-48619 [MEDIUM] CWE-400 A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Red Hat
nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames
vendor_redhat·2026-06-26·CVSS 7.5
CVE-2026-48619 [HIGH] CWE-770 nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames
nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames
A flaw was found in Node.js. A malicious server can exploit the HTTP/2 client by sending an unlimited number of ORIGIN frames. This can lead to an Out of Memory error on the client, resulting in a denial of service.
Statement: This Moderate flaw in the Node.js HTTP/2 client can lead to a denial of service. A malicious server could exploit this by sending an excessive number of ORIGIN frames, causing the client to consume all available memory. This affects Red Hat products utilizing Node.js as an HTTP/2 client.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespre
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-48619 nodejs22: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames [fedora-all]
bugzilla·2026-06-26·CVSS 7.5
CVE-2026-48619 [HIGH] CVE-2026-48619 nodejs22: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames [fedora-all]
CVE-2026-48619 nodejs22: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48619 nodejs24: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames [fedora-all]
bugzilla·2026-06-26·CVSS 7.5
CVE-2026-48619 [HIGH] CVE-2026-48619 nodejs24: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames [fedora-all]
CVE-2026-48619 nodejs24: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48619 nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames
bugzilla·2026-06-26·CVSS 7.5
CVE-2026-48619 [HIGH] CVE-2026-48619 nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames
CVE-2026-48619 nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Bugzilla
CVE-2026-48619 nodejs20: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames [fedora-all]
bugzilla·2026-06-26·CVSS 7.5
CVE-2026-48619 [HIGH] CVE-2026-48619 nodejs20: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames [fedora-all]
CVE-2026-48619 nodejs20: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
2026-06-26
Published