diff --git a/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md b/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md index 3532a12e68b3c..db35dc5d6c693 100644 --- a/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md +++ b/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md @@ -1,12 +1,134 @@ --- -date: 2026-06-09T22:00:00.000Z +date: 2026-06-18T04:00:00.000Z category: vulnerability -title: Wednesday, June 17, 2026 Security Releases +title: Thursday, June 18, 2026 Security Releases slug: june-2026-security-releases layout: blog-post author: The Node.js Project --- +## (UPDATE 2026-06-18) Security releases available + +Updates are now available for the 26.x, 24.x, 22.x Node.js release lines for the +following issues. + +This security release includes the following dependency updates to address public vulnerabilities: + +- llhttp (9.4.2) on all release lines +- nghttp2 (1.69.0) on all release lines +- openssl (3.5.7) on all release lines +- undici (8.5.0) on 26.3.1 +- undici (7.28.0) on 24.17.0 +- undici (6.27.0) on 22.23.0 + +## Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort (DoS) (CVE-2026-48933) - (high) + +A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to erichen for reporting this vulnerability and thank you Panva for fixing it. + +## Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat (CVE-2026-48618) - (high) + +A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. + +This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to tmeletlidis for reporting this vulnerability and thank you Matteo Collina for fixing it. + +## Proxy credentials leaked in ERR_PROXY_TUNNEL error message (CVE-2026-48615) - (medium) + +A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. + +When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to nssys for reporting this vulnerability and thank you Matteo Collina for fixing it. + +## Permission Model Bypass via `process.report.writeReport()` Path Misvalidation (CVE-2026-48617) - (low) + +A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. + +This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to suul for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## Unbounded memory growth in `node:http2` clients via attacker-controlled ORIGIN frames (CVE-2026-48619) - (medium) + +A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to kingsd for reporting this vulnerability and thank you Matteo Collina for fixing it. + +## HTTP/2 sessions never clean up after GOAWAY on invalid protocol errors (CVE-2026-48937) - (medium) + +A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. + +This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**. + +Thank you, Tim Perry, for reporting this vulnerability and for fixing it. + +## Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching (CVE-2026-48928) - (medium) + +A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to tmeletlidis for reporting this vulnerability and thank you Matteo Collina for fixing it. + +## Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings (CVE-2026-48930) - (medium) + +A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to tmeletlidis for reporting this vulnerability and thank you Matteo Collina for fixing it. + +## TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections (CVE-2026-48934) - (medium) + +A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to 3d7omb for reporting this vulnerability and thank you Matteo Collina for fixing it. + +## Permission Model bypass via FileHandle.utimes() in the promises API (CVE-2026-48935) - (low) + +A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to muhammaddaffa for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## Unix domain socket server bypasses --permission network restrictions (incomplete CVE-2026-21636 fix) (CVE-2026-48936) - (low) + +A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. + +This vulnerability affects one supported release line: **Node.js 26**. + +Thank you, to cyberjoker for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## HTTP Response Queue Poisoning via TOCTOU Race Condition in `http.Agent` (CVE-2026-48931) - (low) + +A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to yushengchen for reporting this vulnerability and thank you Matteo Collina for fixing it. + +## Downloads and release details + +- [Node.js v22.23.1](/blog/release/v22.23.1/) +- [Node.js v24.17.1](/blog/release/v24.17.1/) +- [Node.js v26.3.2](/blog/release/v26.3.2/) + # Summary The Node.js project will release new versions of the 26.x, 24.x, 22.x @@ -25,7 +147,7 @@ To ensure your system's security, please use an up-to-date version as outlined i ## Release timing -Releases will be available on, or shortly after, Wednesday, June 17, 2026. +Releases are available as of Thursday, June 18, 2026. ## Contact and future updates diff --git a/apps/site/site.json b/apps/site/site.json index b9943dd27a17b..86a3100ad6cca 100644 --- a/apps/site/site.json +++ b/apps/site/site.json @@ -29,10 +29,10 @@ ], "websiteBanners": { "index": { - "startDate": "2026-03-24T03:00:00.000Z", - "endDate": "2026-03-31T03:00:00.000Z", - "text": "March Security Release is available", - "link": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases", + "startDate": "2026-06-16T22:00:00.000Z", + "endDate": "2026-06-23T22:00:00.000Z", + "text": "June Security Release is available", + "link": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases", "type": "warning" } },