Node.js
This hub aggregates every CVE we track for Node.js, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
252
CVEs tracked
23
Critical
129
High
1
In CISA KEV
Severity distribution
HIGH129MEDIUM84CRITICAL23LOW16
Monthly trend
0
8
0
1
0
4
1
0
0
5
2
2
1
1
1
1
0
16
1
7
0
0
10
0
2024-082026-07
Latest CVEs
The 15 most recently published vulnerabilities affecting Node.js.
- CVE-2026-48930A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all su...9.8
- CVE-2026-48936A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release li...3.3
- CVE-2026-48935A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`. This vulnerability affects all supported release l...3.3
- CVE-2026-48934A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **No...4.3
- CVE-2026-48618A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mis...6.5
- CVE-2026-48619A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported r...7.5
- CVE-2026-48615A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed throu...7.5
- CVE-2026-48933A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**,...7.5
- CVE-2026-48928A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**,...5.4
- CVE-2026-48931A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node....3.7
- CVE-2026-21715A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce ...3.3
- CVE-2026-21717A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such co...5.9
- CVE-2026-21713A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes...5.9
- CVE-2026-21714A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The...5.3
- CVE-2026-21716An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fch...3.3
Product normalization is registry-driven with AI assist and human review. How it works