CVE-2026-48931
Modified Modified - Updated After Analysis

HTTP Response Splitting in Node.js HTTP Agent

Vulnerability report for CVE-2026-48931, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-07-03

Assigner: HackerOne

Description

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-07-03
Generated
2026-07-13
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
nodejs node.js 26.3.0
nodejs node.js 24.16.0
nodejs node.js 22.22.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a flaw in the Node.js HTTP Agent where a client can mistakenly accept a response as valid even before it has sent the corresponding request.

It affects all supported Node.js release lines: 22, 24, and 26.

Impact Analysis

The vulnerability could lead to a client accepting responses prematurely, which may cause unexpected behavior or potential security issues such as information misinterpretation or logic errors in applications relying on Node.js HTTP Agent.

The CVSS score of 3.7 indicates a low severity impact with no confidentiality or availability impact, but a low integrity impact.

Mitigation Strategies

To mitigate this vulnerability, users should update Node.js to the latest patched versions of the supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Detection Guidance

This vulnerability manifests as errors in applications using Node.js HTTP Agent with keep-alive sockets, particularly when using the node-fetch@2 library. One indicator is the occurrence of the error ERR_STREAM_PREMATURE_CLOSE during HTTPS requests with chunked or gzip-encoded responses.

To detect this issue on your system, monitor logs of Node.js applications for the ERR_STREAM_PREMATURE_CLOSE error, especially if they use node-fetch@2 or related libraries like cross-fetch@4 or gaxios.

Since the problem is related to HTTP keep-alive sockets and response handling, you can also check the Node.js version in use to see if it is v24.17.0 or later, where the regression was introduced.

There are no specific network commands provided in the resources to detect this vulnerability directly. However, you can use standard network monitoring tools to observe HTTP traffic patterns and errors in application logs.

For example, to check the Node.js version on your system, you can run:

  • node -v

To monitor application logs for the specific error, you might use commands like:

  • grep 'ERR_STREAM_PREMATURE_CLOSE' /path/to/your/app/logs

If you suspect the issue is triggered by HTTP keep-alive usage, review your application's HTTP Agent configuration for the keepAlive option.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48931. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart