CVE-2026-48931

NONE EPSS 25.5%
Published Jun 22, 20261w ago · Modified Jun 23, 20261w ago
Find Similar
Published Jun 22, 2026 1w ago
Last Modified Jun 23, 2026 1w ago

Description

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Threat Intelligence

EPSS Exploit Probability
25.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-367

References 3

  • github.com https://github.com/nodejs/node/issues/63989
  • jdstaerk.substack.com https://jdstaerk.substack.com/p/nodejs-security-fix-silently-broke
  • nodejs.org https://nodejs.org/en/blog/vulnerability/june-2026-security-releases

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.