CVE-2026-48615 - Vulnerability Details

- nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling

Description

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages.

When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.

This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Published: 2026-06-26

Score: 5.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Node.js proxy tunnel error handling can expose proxy credentials that are embedded in the proxy URL throughNEL error messages. These credentials may be captured by logs, diagnostics, or other error consumers, resulting in the disclosure of sensitive authentication data.

Affected Systems

Node.js, all supported release lines – Node.js 22, Node.js 24, and Node.js 26 – are impacted by this vulnerability.

Risk and Exploitability

The CVSS score of 5.9 is available and the vulnerability is not listed in the CISA KEV catalog. The EPSS score of < 1% indicates a very low probability of exploitation. The likely attack vector is either local or remote access to the application’s error handling environment; an attacker or user with access to logs or error output could capture the exposed credentials. Exploitation requires only that an error occurs with a proxy URL containing credentials, and the exposed data will appear in the resulting error message.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nodejs

node

unaffected

Version	Status	Constraints
`22.22.3`	affected	≤ 22.22.3
`24.16.0`	affected	≤ 24.16.0
`26.3.0`	affected	≤ 26.3.0

No data.

Vendor Product Confidence Versions

Nodejs

92%

Version	Status	Scheme	Platform
`[22.22.3,22.22.3]`	affected	semver	—
`[24.16.0,24.16.0]`	affected	semver	—
`[26.3.0,26.3.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Node.js to the latest supported version that contains the fix for CVE-2026-48615 or apply the vendor’s patch release
Configure proxy authentication so that credentials are not embedded in the proxy URL, using separate authentication mechanisms or environment variables instead
Implement error handling that redacts or removes any sensitive credential information from logs, diagnostics, and other error consumers to mitigate CWE‑359 exposure

Generated by OpenCVE AI on June 27, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00392.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases
https://nvd.nist.gov/vuln/detail/CVE-2026-48615
https://www.cve.org/CVERecord?id=CVE-2026-48615

History

Sat, 27 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title	Node.js Proxy Credential Exposure via ERR_PROXY_TUNNEL Error Messages	nodejs: Node.js: Information disclosure of proxy credentials via proxy tunnel error handling
Weaknesses		CWE-209
References		https://nvd.nist.gov/vuln/detail/CVE-2026-48615 https://www.cve.org/CVERecord?id=CVE-2026-48615
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 26 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 26 Jun 2026 07:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nodejs Nodejs nodejs
Vendors & Products		Nodejs Nodejs nodejs

Fri, 26 Jun 2026 03:00:00 +0000

Type	Values Removed	Values Added
Title		Node.js Proxy Credential Exposure via ERR_PROXY_TUNNEL Error Messages

Fri, 26 Jun 2026 01:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
Weaknesses		CWE-359
References		https://nodejs.org/en/blog/vulnerability/june-2026-security-releases
Metrics		cvssV3_0 `{'score': 5.9, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Nodejs Nodejs

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2026-06-26T01:14:36.524Z

Updated: 2026-06-26T13:35:00.592Z

Reserved: 2026-05-22T15:00:09.276Z

Link: CVE-2026-48615

Vulnrichment

Updated: 2026-06-26T13:34:52.982Z

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-06-26T01:14:36Z

Links: CVE-2026-48615 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-27T02:00:10Z

Weaknesses

CWE-209
Generation of Error Message Containing Sensitive Information
CWE-359
Exposure of Private Personal Information to an Unauthorized Actor

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object