CVE-2026-48618
Analyzed Analyzed - Analysis Complete
TLS Wildcard Hostname Bypass in Node.js

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: HackerOne

Description
A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
2026-06-26
NVD
CVE-2026-48618
EUVD
EUVD-2026-39610
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
nodejs node.js 26.3.0
nodejs node.js 24.16.0
nodejs node.js 22.22.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-176 The product does not properly handle when an input contains Unicode encoding.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a flaw in Node.js's TLS hostname handling related to how it processes unicode dot separators. Specifically, the way Node.js normalizes hostnames in the resolver and verifier can cause a mismatch, which allows a bypass of TLS wildcard-depth authentication.

In simpler terms, the system that checks if a server's TLS certificate matches the hostname can be tricked due to improper handling of certain unicode characters, potentially allowing unauthorized access.

Impact Analysis

This vulnerability can lead to a confidentiality impact by allowing an attacker to bypass the intended security boundaries of TLS authentication.

As a result, an attacker might be able to impersonate a trusted server or intercept sensitive communications that are supposed to be protected by TLS, potentially exposing confidential information.

Compliance Impact

The vulnerability in Node.js TLS hostname handling can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.

Such confidentiality impacts could potentially affect compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure authentication mechanisms.

However, there is no explicit information provided about direct effects on compliance with these standards.

Mitigation Strategies

To mitigate this vulnerability, users should update Node.js to the latest patched versions in the supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48618. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart