nodejs Evented IO for v8 JavaScript
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any nodejs product.
RSS Feeds for nodejs security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in nodejs products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by nodejs Sorted by Most Security Vulnerabilities since 2018
Recent nodejs Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2026-06-09 | Wednesday, June 17, 2026 Security Releases | June 9, 2026 |
| march-2026-hashdos | Developing a minimally HashDoS resistant, yet quickly reversible integer hash for V8 | March 24, 2026 |
| 2026-03-17 | Tuesday, March 24, 2026 Security Releases | March 17, 2026 |
| 2026-01-28 | OpenSSL Security Advisory Assessment, January 2026 | January 28, 2026 |
| 2026-01-13 | Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users | January 13, 2026 |
| 2025-12-08 | Monday, December 15, 2025 Security Releases | December 8, 2025 |
| 2025-07-08 | Tuesday, July 15, 2025 Security Releases | July 8, 2025 |
| 2025-05-08 | Wednesday, May 14, 2025 Security Releases | May 8, 2025 |
| 2025-03-31 | Node.js Test CI Security Incident | March 31, 2025 |
| 2025-03-07 | Updates on CVE for End-of-Life Versions | March 7, 2025 |
By the Year
In 2026 there have been 31 vulnerabilities in nodejs with an average score of 7.0 out of ten. Last year, in 2025 nodejs had 6 security vulnerabilities published. That is, 25 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 3.90.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 31 | 7.00 |
| 2025 | 6 | 3.10 |
| 2024 | 23 | 6.48 |
| 2023 | 24 | 6.98 |
| 2022 | 28 | 7.25 |
| 2021 | 27 | 7.41 |
| 2020 | 15 | 8.09 |
| 2019 | 14 | 5.77 |
| 2018 | 20 | 6.83 |
It may take a day or so for new nodejs vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent nodejs Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-48928 | Jun 26, 2026 |
Node.js Hostname Matching Trust-Policy Bypass in Multi-Context mTLSA inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. |
|
| CVE-2026-48619 | Jun 26, 2026 |
Node.js HTTP/2 Client OOM via Unlimited ORIGIN FramesA flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. |
|
| CVE-2026-48933 | Jun 26, 2026 |
Node.js WebCrypto Crash via 2GiB Input in subtle.encryptA flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. |
|
| CVE-2026-48935 | Jun 26, 2026 |
Node.js Permission API Enables Unauthorized File Metadata ModA flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. |
|
| CVE-2026-48618 | Jun 26, 2026 |
Node.js TLS Hostname Normalization Bypass via Unicode Dot SeparatorA flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. |
|
| CVE-2026-48930 | Jun 26, 2026 |
Node.js TLS Hostname DoS via Embedded NUL RebindingA flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. |
|
| CVE-2026-48615 | Jun 26, 2026 |
Node.js Proxy Tunnel Error exposes credentials via ERR_PROXY_TUNNELA flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. |
|
| CVE-2026-48934 | Jun 26, 2026 |
Node.js TLS Host Verification Bypass in Certification ValidationA flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. |
|
| CVE-2026-48936 | Jun 26, 2026 |
Node.js Permission API flaw spawns local server via Unix socketA flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release line: **Node.js 26**. |
|
| CVE-2026-48931 | Jun 22, 2026 |
Node.js HTTP Agent accepts premature response CVE-2026-48931A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. |