CVE-2026-48930
published 2026-06-26CVE-2026-48930: A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver…
PriorityP350critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.38%
29.9th percentile
A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nodejs | node | 22.22.3 – 22.22.3 | — |
| nodejs | node | 24.16.0 – 24.16.0 | — |
| nodejs | node | 26.3.0 – 26.3.0 | — |
| nodejs | node.js | — | — |
| nodejs | node.js | — | — |
| nodejs | node.js | — | — |
| nodejs | nodejs | — | — |
| nodejs_22 | nodejs | — | — |
| nodejs_24 | nodejs | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.05.6MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Node.js up to 22.22.3/24.16.0/26.3.0 access control (Nessus ID 323047)
vuldb·2026-06-27·CVSS 9.8
CVE-2026-48930 [CRITICAL] Node.js up to 22.22.3/24.16.0/26.3.0 access control (Nessus ID 323047)
A vulnerability was found in Node.js up to 22.22.3/24.16.0/26.3.0. It has been declared as critical. Affected by this issue is some unknown functionality. The manipulation results in improper access controls.
This vulnerability is known as CVE-2026-48930. It is possible to launch the attack remotely. No exploit is available.
GHSA
A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings.
ghsa_unreviewed·2026-06-26
CVE-2026-48930 [MEDIUM] CWE-284 A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings.
A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Red Hat
nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling
vendor_redhat·2026-06-26·CVSS 9.8
CVE-2026-48930 [CRITICAL] CWE-170 nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling
nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling
A flaw was found in Node.js. This vulnerability in the TLS (Transport Layer Security) hostname handling allows embedded null characters in hostnames. This can lead to silent authority rebinding, potentially enabling an attacker to redirect network traffic to an unintended server and disclose sensitive information.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: nodejs22 (Red Hat Enterprise Linux 10) - Fix deferred
Package: nodejs24 (Red Hat Enterprise Linux 10) - Fix deferred
Package: nodejs (
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-48930 nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling
bugzilla·2026-06-26·CVSS 9.8
CVE-2026-48930 [CRITICAL] CVE-2026-48930 nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling
CVE-2026-48930 nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling
A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Bugzilla
CVE-2026-48930 nodejs20: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling [fedora-all]
bugzilla·2026-06-26·CVSS 9.8
CVE-2026-48930 [CRITICAL] CVE-2026-48930 nodejs20: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling [fedora-all]
CVE-2026-48930 nodejs20: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48930 nodejs22: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling [fedora-all]
bugzilla·2026-06-26·CVSS 9.8
CVE-2026-48930 [CRITICAL] CVE-2026-48930 nodejs22: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling [fedora-all]
CVE-2026-48930 nodejs22: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48930 nodejs24: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling [fedora-all]
bugzilla·2026-06-26·CVSS 9.8
CVE-2026-48930 [CRITICAL] CVE-2026-48930 nodejs24: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling [fedora-all]
CVE-2026-48930 nodejs24: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
2026-06-26
Published