Description
A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.

This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.

This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Published: 2026-06-26
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Node.js’s TLS hostname handling causes a mismatch between resolver and verifier string normalization when Unicode dot separators are used. This produces a wildcard‑depth authentication bypass that can allow an attacker to impersonate a legitimate client and obtain confidential information. The weakness is categorized as CWE‑176 (unsafe string comparison) and CWE‑289 (improper normalization).

Affected Systems

All currently supported Node.js releases are affected, including Node.js 22, 24, and 26. Any application running on these versions that establishes TLS connections and performs hostname verification is potentially vulnerable unless mitigated by a newer runtime.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote network‑based exploitation where an attacker crafts a specially encoded hostname that satisfies a wildcard certificate, causing the server to accept an unauthorized connection. The attack requires the target to use TLS connections that rely on wildcard certificate matching and process Unicode hostnames.

Generated by OpenCVE AI on June 27, 2026 at 02:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Node.js to the latest minor release in the 22, 24, or 26 series that includes the TLS hostname handling fix.
  • If upgrade is not immediately possible, configure the application to reject any TLS connections that use wildcard certificates or contain Unicode dot separators by enforcing strict hostname verification.
  • Implement logging and monitoring of TLS handshake failures involving hostname mismatches to detect attempted bypasses.

Generated by OpenCVE AI on June 27, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Node.js TLS Wildcard Verification Bypass via Unicode Dot Separator nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch
First Time appeared Redhat
Redhat hummingbird
Weaknesses CWE-289
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat
Redhat hummingbird
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 26 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs nodejs
Vendors & Products Nodejs
Nodejs nodejs

Fri, 26 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Title Node.js TLS Wildcard Verification Bypass via Unicode Dot Separator

Fri, 26 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Description A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Weaknesses CWE-176
References
Metrics cvssV3_0

{'score': 7.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Nodejs Nodejs
Redhat Hummingbird
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-26T15:10:40.049Z

Reserved: 2026-05-22T15:00:09.276Z

Link: CVE-2026-48618

cve-icon Vulnrichment

Updated: 2026-06-26T15:10:33.683Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-26T01:14:36Z

Links: CVE-2026-48618 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T03:00:12Z

Weaknesses
  • CWE-176

    Improper Handling of Unicode Encoding

  • CWE-289

    Authentication Bypass by Alternate Name