Node.js HTTP Agent accepts premature response CVE-2026-48931
CVE-2026-48931 Published on June 22, 2026
A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Weakness Type
What is a TOCTTOU Vulnerability?
The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state. This weakness can be security-relevant when an attacker can influence the state of the resource between check and use. This can happen with shared resources such as files, memory, or even variables in multithreaded programs.
CVE-2026-48931 has been classified to as a TOCTTOU vulnerability or weakness.
Affected Versions
nodejs node:- Version 22.22.3, <= 22.22.3 is affected.
- Version 24.16.0, <= 24.16.0 is affected.
- Version 26.3.0, <= 26.3.0 is affected.