CVE-2026-48618
Modified Modified - Updated After Analysis

TLS Wildcard Hostname Bypass in Node.js

Vulnerability report for CVE-2026-48618, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-07-16

Assigner: HackerOne

Description

A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-16
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
nodejs node.js 26.3.0
nodejs node.js 24.16.0
nodejs node.js 22.22.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-176 The product does not properly handle when an input contains Unicode encoding.
CWE-289 The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a flaw in Node.js's TLS hostname handling related to how it processes unicode dot separators. Specifically, the way Node.js normalizes hostnames in the resolver and verifier can cause a mismatch, which allows a bypass of TLS wildcard-depth authentication.

In simpler terms, the system that checks if a server's TLS certificate matches the hostname can be tricked due to improper handling of certain unicode characters, potentially allowing unauthorized access.

Impact Analysis

This vulnerability can lead to a confidentiality impact by allowing an attacker to bypass the intended security boundaries of TLS authentication.

As a result, an attacker might be able to impersonate a trusted server or intercept sensitive communications that are supposed to be protected by TLS, potentially exposing confidential information.

Compliance Impact

The vulnerability in Node.js TLS hostname handling can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.

Such confidentiality impacts could potentially affect compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure authentication mechanisms.

However, there is no explicit information provided about direct effects on compliance with these standards.

Mitigation Strategies

To mitigate this vulnerability, users should update Node.js to the latest patched versions in the supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48618. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart