CVE-2026-48615 | A flaw in Node.js proxy tunnel error handling could expose p… | CVSS 5.9 MEDIUM

Description

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Metadata

CVE ID: CVE-2026-48615
State: PUBLISHED
Assigner: hackerone
Reserved: 2026-05-22 15:00 UTC
Published: 2026-06-26 01:14 UTC
Last updated: 2026-06-26 13:35 UTC
Primary CWE: CWE-359
CWE-359 Privacy Violation
Vendor / Product: nodejs / node
Sources: cve.org · NVD

Severity & Metrics

5.9 MEDIUM CVSS 3.0

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
nodejs	node	—	22.22.3 ≤ 22.22.3, 24.16.0 ≤ 24.16.0, 26.3.0 ≤ 26.3.0

Weakness (CWE)

CWE	Source	Description
CWE-359	cna	CWE-359 Privacy Violation

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.9	MEDIUM	3.0	cna	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References (1)

https://nodejs.org/en/blog/vulnerability/june-2026-security-releases