From 9ecaadf36d956a7132f1392d9bc5d465206b297d Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Thu, 18 Jun 2026 11:49:13 +0200 Subject: [PATCH 1/5] blog: update june 2026 security releases announcement --- .../june-2026-security-releases.md | 127 +++++++++++++++++- 1 file changed, 125 insertions(+), 2 deletions(-) diff --git a/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md b/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md index 3532a12e68b3c..25297d5271495 100644 --- a/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md +++ b/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md @@ -1,5 +1,5 @@ --- -date: 2026-06-09T22:00:00.000Z +date: 2026-06-18T04:00:00.000Z category: vulnerability title: Wednesday, June 17, 2026 Security Releases slug: june-2026-security-releases @@ -7,6 +7,129 @@ layout: blog-post author: The Node.js Project --- +## Security releases available + +Updates are now available for the 26.x, 24.x, 22.x Node.js release lines for the +following issues. + +This security release includes the following dependency updates to address public vulnerabilities: + +- llhttp (9.4.2) on all release lines +- nghttp2 (1.69.0) on all release lines +- openssl (3.5.7) on all release lines +- undici (8.5.0) on 26.3.1 +- undici (7.28.0) on 24.17.0 +- undici (6.27.0) on 22.23.0 + +## Node.js WebCrypto AES Integer Overflow Leads to Remote Process Abort (DoS) (CVE-2026-48933) - (high) + +A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to erichen for reporting this vulnerability and thank you Panva for fixing it. + +## Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat (CVE-2026-48618) - (high) + +A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. + +This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to tmeletlidis for reporting this vulnerability and thank you Matteo Collina for fixing it. + +## Proxy credentials leaked in ERR_PROXY_TUNNEL error message (CVE-2026-48615) - (medium) + +A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. + +When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to nssys for reporting this vulnerability and thank you Matteo Collina for fixing it. + +## Permission Model Bypass via `process.report.writeReport()` Path Misvalidation (CVE-2026-48617) - (low) + +A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. + +This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to suul for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## Unbounded memory growth in `node:http2` clients via attacker-controlled ORIGIN frames (CVE-2026-48619) - (medium) + +A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to kingsd for reporting this vulnerability and thank you Matteo Collina for fixing it. + +## HTTP/2 sessions never clean up after GOAWAY on invalid protocol errors (CVE-2026-48937) - (medium) + +A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. + +This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**. + +Thank you, Tim Perry, for reporting this vulnerability and for fixing it. + +## Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching (CVE-2026-48928) - (medium) + +A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to tmeletlidis for reporting this vulnerability and thank you Matteo Collina for fixing it. + +## Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings (CVE-2026-48930) - (medium) + +A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to tmeletlidis for reporting this vulnerability and thank you Matteo Collina for fixing it. + +## TLS host identity verification bypass via session reuse with different servername leads to unauthorized connections (CVE-2026-48934) - (medium) + +A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to 3d7omb for reporting this vulnerability and thank you Matteo Collina for fixing it. + +## Permission Model bypass via FileHandle.utimes() in the promises API (CVE-2026-48935) - (low) + +A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to muhammaddaffa for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## Unix domain socket server bypasses --permission network restrictions (incomplete CVE-2026-21636 fix) (CVE-2026-48936) - (low) + +A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. + +This vulnerability affects one supported release line: **Node.js 26**. + +Thank you, to cyberjoker for reporting this vulnerability and thank you RafaelGSS for fixing it. + +## HTTP Response Queue Poisoning via TOCTOU Race Condition in `http.Agent` (CVE-2026-48931) - (low) + +A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. + +This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. + +Thank you, to yushengchen for reporting this vulnerability and thank you Matteo Collina for fixing it. + + +## Downloads and release details + +- [Node.js v22.23.1](/blog/release/v22.23.1/) +- [Node.js v24.17.1](/blog/release/v24.17.1/) +- [Node.js v26.3.2](/blog/release/v26.3.2/) + # Summary The Node.js project will release new versions of the 26.x, 24.x, 22.x @@ -25,7 +148,7 @@ To ensure your system's security, please use an up-to-date version as outlined i ## Release timing -Releases will be available on, or shortly after, Wednesday, June 17, 2026. +Releases are available as of Thursday, June 18, 2026. ## Contact and future updates From a8f4b5dfad945dd5d3e3cb59dc274dd76f769ce9 Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Thu, 18 Jun 2026 11:55:36 +0200 Subject: [PATCH 2/5] fixup! blog: update june 2026 security releases announcement --- .../pages/en/blog/vulnerability/june-2026-security-releases.md | 1 - 1 file changed, 1 deletion(-) diff --git a/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md b/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md index 25297d5271495..615a83a98067b 100644 --- a/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md +++ b/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md @@ -123,7 +123,6 @@ This vulnerability affects all supported release lines: **Node.js 22**, **Node.j Thank you, to yushengchen for reporting this vulnerability and thank you Matteo Collina for fixing it. - ## Downloads and release details - [Node.js v22.23.1](/blog/release/v22.23.1/) From 1f7685098027bd52475e14474302376ba7084d2f Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Thu, 18 Jun 2026 15:13:14 +0200 Subject: [PATCH 3/5] Apply suggestions from code review Co-authored-by: Rafael Gonzaga Co-authored-by: Antoine du Hamel Signed-off-by: Antoine du Hamel --- .../en/blog/vulnerability/june-2026-security-releases.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md b/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md index 615a83a98067b..db77dd032b1f9 100644 --- a/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md +++ b/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md @@ -1,13 +1,13 @@ --- date: 2026-06-18T04:00:00.000Z category: vulnerability -title: Wednesday, June 17, 2026 Security Releases +title: Thursday, June 18, 2026 Security Releases slug: june-2026-security-releases layout: blog-post author: The Node.js Project --- -## Security releases available +## (UPDATE 2026-06-18) Security releases available Updates are now available for the 26.x, 24.x, 22.x Node.js release lines for the following issues. From 28ae1628a34cf5104ec6ed30b58e3f38d53d8b0d Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Thu, 18 Jun 2026 15:18:50 +0200 Subject: [PATCH 4/5] squash! ??? --- .../pages/en/blog/vulnerability/june-2026-security-releases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md b/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md index db77dd032b1f9..db35dc5d6c693 100644 --- a/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md +++ b/apps/site/pages/en/blog/vulnerability/june-2026-security-releases.md @@ -1,7 +1,7 @@ --- date: 2026-06-18T04:00:00.000Z category: vulnerability -title: Thursday, June 18, 2026 Security Releases +title: Thursday, June 18, 2026 Security Releases slug: june-2026-security-releases layout: blog-post author: The Node.js Project From d1aed79705d9b67b66207b434fb0d7fd0a593e0a Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Thu, 18 Jun 2026 15:23:16 +0200 Subject: [PATCH 5/5] squash1 add banner --- apps/site/site.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/site/site.json b/apps/site/site.json index b9943dd27a17b..86a3100ad6cca 100644 --- a/apps/site/site.json +++ b/apps/site/site.json @@ -29,10 +29,10 @@ ], "websiteBanners": { "index": { - "startDate": "2026-03-24T03:00:00.000Z", - "endDate": "2026-03-31T03:00:00.000Z", - "text": "March Security Release is available", - "link": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases", + "startDate": "2026-06-16T22:00:00.000Z", + "endDate": "2026-06-23T22:00:00.000Z", + "text": "June Security Release is available", + "link": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases", "type": "warning" } },