CVE-2026-48931
NONE EPSS 25.5%
Published Jun 22, 20261w ago · Modified Jun 23, 20261w ago
Published Jun 22, 2026 1w ago
Last Modified Jun 23, 2026 1w ago
Description
A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Threat Intelligence
EPSS Exploit Probability
25.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-367
References 3
- github.com https://github.com/nodejs/node/issues/63989
- jdstaerk.substack.com https://jdstaerk.substack.com/p/nodejs-security-fix-silently-broke
- nodejs.org https://nodejs.org/en/blog/vulnerability/june-2026-security-releases
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.