CVE-2026-48619
Analyzed Analyzed - Analysis Complete
Node.js HTTP/2 Client Memory Exhaustion via ORIGIN Frames

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: HackerOne

Description
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
2026-06-26
NVD
CVE-2026-48619
EUVD
EUVD-2026-39607
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
nodejs node.js 26.3.0
nodejs node.js 24.16.0
nodejs node.js 22.22.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a flaw in the Node.js HTTP/2 client where a server can send an unlimited number of ORIGIN frames.

Because there is no limit on these frames, the client can run out of memory, leading to an Out of Memory error.

Impact Analysis

The impact of this vulnerability is that a malicious or compromised server could cause the Node.js HTTP/2 client to consume excessive memory.

This can lead to an Out of Memory error on the client side, potentially causing the application to crash or become unresponsive.

Compliance Impact

The vulnerability in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, potentially causing an Out of Memory error on the client. This results in an availability impact (denial of service) but does not affect confidentiality or integrity.

Since the vulnerability does not lead to unauthorized access, data leakage, or modification, it has limited direct impact on compliance with data protection standards such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal or sensitive data.

However, the availability impact could indirectly affect compliance if the affected systems are critical for maintaining required service levels or uptime mandated by certain regulations.

Mitigation Strategies

This vulnerability affects all supported Node.js release lines: 22, 24, and 26.

To mitigate this vulnerability, users should update Node.js to the latest patched versions where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48619. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart