Node.js Proxy Tunnel Error exposes credentials via ERR_PROXY_TUNNEL
CVE-2026-48615 Published on June 26, 2026

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

NVD

Weakness Type

What is a Privacy violation Vulnerability?

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

CVE-2026-48615 has been classified to as a Privacy violation vulnerability or weakness.

Affected Versions

nodejs node:

Version 22.22.3, <= 22.22.3 is affected.
Version 24.16.0, <= 24.16.0 is affected.
Version 26.3.0, <= 26.3.0 is affected.

Node.js Proxy Tunnel Error exposes credentials via ERR_PROXY_TUNNELCVE-2026-48615 Published on June 26, 2026

Weakness Type

What is a Privacy violation Vulnerability?

Affected Versions

Node.js Proxy Tunnel Error exposes credentials via ERR_PROXY_TUNNEL
CVE-2026-48615 Published on June 26, 2026