CVE-2026-48615
Analyzed Analyzed - Analysis Complete
Node.js Proxy Credential Exposure in Error Handling

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: HackerOne

Description
A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
2026-06-26
NVD
CVE-2026-48615
EUVD
EUVD-2026-39606
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
nodejs node.js 26.3.0
nodejs node.js 24.16.0
nodejs node.js 22.22.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a flaw in Node.js proxy tunnel error handling that can expose proxy credentials in error messages labeled as ERR_PROXY_TUNNEL.

When proxy credentials are included in the proxy URL, these credentials may be revealed through error handling paths and subsequently captured by logs, diagnostics, or other consumers of error information.

The issue affects all supported Node.js release lines: versions 22, 24, and 26.

Impact Analysis

The vulnerability can lead to the exposure of sensitive proxy credentials through error messages.

If these credentials are logged or accessed by unauthorized parties, it could compromise the security of proxy connections.

This exposure could allow attackers to misuse the proxy credentials, potentially leading to unauthorized access or interception of network traffic.

Mitigation Strategies

This vulnerability affects all supported Node.js release lines: 22, 24, and 26.

To mitigate this vulnerability, users should update Node.js to the latest patched versions where the issue is fixed.

Compliance Impact

This vulnerability in Node.js proxy tunnel error handling could expose proxy credentials through error messages that may be captured by logs or diagnostics.

Exposure of sensitive credentials in logs or error messages can lead to unauthorized access or data breaches, which may impact compliance with data protection regulations such as GDPR and HIPAA that require protection of sensitive information.

Therefore, organizations using affected Node.js versions should consider this vulnerability as a risk to confidentiality controls mandated by these standards and take appropriate mitigation steps, such as updating to patched versions and securing logs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48615. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart