CVE-2026-48615
Last modified
CVE-2026-48615 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.. EPSS estimates a 0.38% chance of exploitation in the next 30 days.
Description
A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Nodejs | Node.Js | 22.22.3 |
| Nodejs | Node.Js | 24.16.0 |
| Nodejs | Node.Js | 26.3.0 |
References
- https://nodejs.org/en/blog/vulnerability/june-2026-security-releasesPatch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-48615?
How severe is CVE-2026-48615?
How do I fix CVE-2026-48615?
Are you affected by CVE-2026-48615?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST