CVE-2026-48615

HIGH

Node - Exposure of Private Personal Information to an Unauthorized Actor

Title source: rule
STIX 2.1

Description

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Scores

CVSS v3 7.5
EPSS 0.0044
EPSS Percentile 35.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-359
Status published
Products (6)
nodejs/node 22.22.3
nodejs/node 24.16.0
nodejs/node 26.3.0
nodejs/node.js 22.22.3
nodejs/node.js 24.16.0
nodejs/node.js 26.3.0
Published Jun 26, 2026
Tracked Since Jun 26, 2026