Description
A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings.

This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Published: 2026-06-26
Score: 5.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Node.js TLS hostname handling permits the insertion of embedded NUL characters in hostnames, which causes C‑string truncation in resolver bindings. This silent authority rebinding bypasses normal hostname verification, enabling an attacker to impersonate the intended server during TLS connections. The weakness corresponds to CWE‑284 and CWE‑170, indicating insecure permission handling and improper handling of null characters during hostname processing.

Affected Systems

Node.js versions 22, 24, and 26 are all affected. The defect resides in the core TLS implementation bundled with Node.js and may impact any application that creates HTTPS/TLS client connections with hostname validation enabled.

Risk and Exploitability

The CVSS score of 5.6 indicates medium severity. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, which suggests no publicly known exploitation. Based on the description, the likely attack vector is network‑based, where a malicious server sends a TLS request that includes an embedded NUL. If the victim application accepts the truncated hostname, the attacker could hijack the TLS session endpoint without detection.

Generated by OpenCVE AI on June 27, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Node.js to the latest patched release on the 22, 24, or 26 line that resolves the TLS hostname truncation flaw.
  • Validate any hostname inputs passed to Node's TLS client functions, ensuring NUL characters are removed before connection establishment to address the CWE‑284 and CWE‑170 weaknesses.
  • Enforce strict hostname verification in the TLS client by setting rejectUnauthorized to true and validating the exact server hostname against the certificate.

Generated by OpenCVE AI on June 27, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Node.js TLS Hostname Flaw Enables Authority Rebinding via Embedded NUL nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling
Weaknesses CWE-170
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

threat_severity

Moderate

Fri, 26 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs nodejs
Vendors & Products Nodejs
Nodejs nodejs

Fri, 26 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Title Node.js TLS Hostname Flaw Enables Authority Rebinding via Embedded NUL

Fri, 26 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Description A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Weaknesses CWE-284
References
Metrics cvssV3_0

{'score': 5.6, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Nodejs Nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-26T13:37:46.190Z

Reserved: 2026-05-26T15:00:06.427Z

Link: CVE-2026-48930

cve-icon Vulnrichment

Updated: 2026-06-26T13:37:42.480Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-26T01:14:37Z

Links: CVE-2026-48930 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T02:00:10Z

Weaknesses