nodejs nodejs Evented IO for v8 JavaScript

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any nodejs product.

RSS Feeds for nodejs security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in nodejs products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by nodejs Sorted by Most Security Vulnerabilities since 2018

nodejs node.js148 vulnerabilities

nodejs Undici16 vulnerabilities

nodejs9 vulnerabilities

nodejs Elliptic1 vulnerability

Recent nodejs Security Advisories

Advisory Title Published
2026-06-09 Wednesday, June 17, 2026 Security Releases June 9, 2026
march-2026-hashdos Developing a minimally HashDoS resistant, yet quickly reversible integer hash for V8 March 24, 2026
2026-03-17 Tuesday, March 24, 2026 Security Releases March 17, 2026
2026-01-28 OpenSSL Security Advisory Assessment, January 2026 January 28, 2026
2026-01-13 Mitigating Denial-of-Service Vulnerability from Unrecoverable Stack Space Exhaustion for React, Next.js, and APM Users January 13, 2026
2025-12-08 Monday, December 15, 2025 Security Releases December 8, 2025
2025-07-08 Tuesday, July 15, 2025 Security Releases July 8, 2025
2025-05-08 Wednesday, May 14, 2025 Security Releases May 8, 2025
2025-03-31 Node.js Test CI Security Incident March 31, 2025
2025-03-07 Updates on CVE for End-of-Life Versions March 7, 2025

By the Year

In 2026 there have been 31 vulnerabilities in nodejs with an average score of 7.0 out of ten. Last year, in 2025 nodejs had 6 security vulnerabilities published. That is, 25 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 3.90.




Year Vulnerabilities Average Score
2026 31 7.00
2025 6 3.10
2024 23 6.48
2023 24 6.98
2022 28 7.25
2021 27 7.41
2020 15 8.09
2019 14 5.77
2018 20 6.83

It may take a day or so for new nodejs vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent nodejs Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-48928 Jun 26, 2026
Node.js Hostname Matching Trust-Policy Bypass in Multi-Context mTLS A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVE-2026-48619 Jun 26, 2026
Node.js HTTP/2 Client OOM via Unlimited ORIGIN Frames A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVE-2026-48933 Jun 26, 2026
Node.js WebCrypto Crash via 2GiB Input in subtle.encrypt A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVE-2026-48935 Jun 26, 2026
Node.js Permission API Enables Unauthorized File Metadata Mod A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVE-2026-48618 Jun 26, 2026
Node.js TLS Hostname Normalization Bypass via Unicode Dot Separator A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVE-2026-48930 Jun 26, 2026
Node.js TLS Hostname DoS via Embedded NUL Rebinding A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVE-2026-48615 Jun 26, 2026
Node.js Proxy Tunnel Error exposes credentials via ERR_PROXY_TUNNEL A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVE-2026-48934 Jun 26, 2026
Node.js TLS Host Verification Bypass in Certification Validation A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
CVE-2026-48936 Jun 26, 2026
Node.js Permission API flaw spawns local server via Unix socket A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission. This vulnerability affects one supported release line: **Node.js 26**.
CVE-2026-48931 Jun 22, 2026
Node.js HTTP Agent accepts premature response CVE-2026-48931 A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.