<Vulnerability name="CVE-2026-48618">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-06-26T01:14:36</PublicDate>
    <Bugzilla id="2493337" url="https://bugzilla.redhat.com/show_bug.cgi?id=2493337" xml:lang="en:us">
nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>7.7</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-289</CWE>
    <Details xml:lang="en:us" source="Mitre">
A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.

This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.

This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Node.js. This flaw involves a mismatch in how Node.js handles TLS (Transport Layer Security) hostnames and unicode dot separators during authentication. This mismatch can lead to a wildcard-depth authentication bypass. An attacker could exploit this to bypass intended security boundaries, potentially leading to unauthorized access and confidentiality impact.
    </Details>
    <Statement xml:lang="en:us">
This Important flaw in Node.js allows for a TLS wildcard-depth authentication bypass due to a mismatch in how hostnames and unicode dot separators are handled during authentication. This could enable an attacker to circumvent security boundaries, potentially leading to unauthorized access and compromise of sensitive information in applications utilizing Node.js for TLS connections. The issue affects Node.js versions 22, 24, and 26 as shipped in Red Hat products.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <AffectedRelease cpe="cpe:/o:redhat:enterprise_linux:10.2">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <ReleaseDate>2026-07-06T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:35841">RHSA-2026:35841</Advisory>
        <Package name="nodejs24">nodejs24-1:24.18.0-1.el10_2</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/o:redhat:enterprise_linux:10.2">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <ReleaseDate>2026-07-06T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:35842">RHSA-2026:35842</Advisory>
        <Package name="nodejs22">nodejs22-1:22.23.1-2.el10_2</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/o:redhat:enterprise_linux_eus:10.0">
        <ProductName>Red Hat Enterprise Linux 10.0 Extended Update Support</ProductName>
        <ReleaseDate>2026-07-14T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:39246">RHSA-2026:39246</Advisory>
        <Package name="nodejs22">nodejs22-1:22.23.1-2.el10_0</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <ReleaseDate>2026-07-15T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:39868">RHSA-2026:39868</Advisory>
        <Package name="nodejs:24">nodejs:24-8100020260630152626.6d880403</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <ReleaseDate>2026-07-06T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:35891">RHSA-2026:35891</Advisory>
        <Package name="nodejs:24">nodejs:24-9080020260626074955.rhel9</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <ReleaseDate>2026-07-06T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:35892">RHSA-2026:35892</Advisory>
        <Package name="nodejs:22">nodejs:22-9080020260626075442.rhel9</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-06-24T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:28727">RHSA-2026:28727</Advisory>
        <Package name="nodejs22-main">nodejs22-main-22.23.1-1.hum1</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-06-24T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:29012">RHSA-2026:29012</Advisory>
        <Package name="nodejs24-main">nodejs24-main-24.18.0-0.1.hum1</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-06-25T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:30172">RHSA-2026:30172</Advisory>
        <Package name="nodejs26-main">nodejs26-main-26.4.0-1.2.hum1</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-04-10T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:7378">RHSA-2026:7378</Advisory>
        <Package name="nodejs25-main">nodejs25-main-25.9.0-1.1.hum1</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-04-21T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:9455">RHSA-2026:9455</Advisory>
        <Package name="nodejs20-main">nodejs20-main-20.20.2-1.hum1</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Affected</FixState>
        <PackageName>nodejs:22/nodejs</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-48618
https://nvd.nist.gov/vuln/detail/CVE-2026-48618
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases
    </References>
</Vulnerability>