Node.js, the JavaScript runtime that powers a huge share of the world's web servers and back-end services, has shipped a security update fixing 13 vulnerabilities, including several that weaken one of the internet's core trust checks: confirming that the server you are talking to over an encrypted connection is really the one it claims to be. The releases, published on June 18, 2026, are a proactive fix, with no sign yet that any of the flaws have been used in attacks, but anyone running an affected version should update.
The update covers every supported release line. Fixed builds are Node.js 22.23.0, 24.17.0, and 26.3.1. Two of the 13 issues are rated high severity, and a striking number of the rest target TLS, the protocol that secures HTTPS and other encrypted traffic.
A cluster of TLS bypasses
The headline flaw, CVE-2026-48618, is a TLS hostname verification bypass. When software opens a secure connection it checks that the name on the server's certificate matches the site it meant to reach. Node.js handled certain Unicode characters that look like dots inconsistently between the part that resolves the name and the part that verifies it, a mismatch that can let an attacker slip past wildcard certificate checks and pass a malicious server off as a trusted one. It was reported by a researcher using the handle tmeletlidis and fixed by Node.js maintainer Matteo Collina.
It is not alone. The same release fixes three more identity verification weaknesses in TLS: uppercase letters in the server name field (SNI) could bypass mutual TLS authorization (CVE-2026-48928); a hostname containing an embedded null byte could trigger a silent rebind to a different authority (CVE-2026-48930); and a connection reused from an earlier session could be accepted for a different server name than the one it was established for (CVE-2026-48934). Together they point to a systemic weak spot in how the runtime decides whether a peer is who it says it is, the exact check that stops impersonation and man-in-the-middle attacks. It is the same class of weakness, an authentication bypass, that recently hit a Check Point VPN product exploited in the wild.
The other fixes
The second high-severity bug, CVE-2026-48933, is a denial-of-service flaw in WebCrypto: feeding the encrypt function an input that is a multiple of 2 gibibytes can crash the process through an integer overflow. The remaining fixes include proxy credentials leaking into error messages (CVE-2026-48615), several HTTP/2 memory exhaustion and cleanup problems a malicious peer could trigger (CVE-2026-48619, CVE-2026-48937), an HTTP request queue poisoning race condition (CVE-2026-48931), and three bypasses of Node's experimental permission model, the sandbox meant to restrict what a script can read, write, or reach on the network (CVE-2026-48617, CVE-2026-48935, CVE-2026-48936).
What you should do
Upgrade to Node.js 22.23.0, 24.17.0, or 26.3.1 depending on your release line. The TLS identity verification fixes matter most for any service that relies on certificate validation or mutual TLS to decide who it trusts, including internal APIs, service to service traffic, and proxies. Because Node.js sits underneath so much server and tooling code, the flaws also ripple into the wider JavaScript ecosystem, which has been a repeated target for attackers, from the self-spreading Shai-Hulud npm worm to a run of dependency compromises. Teams that cannot patch immediately should prioritize internet facing and trust boundary services. You can read the full breakdown in the official Node.js advisory.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.