CVE-2026-48615_CVE-2026-48615

5.9 / 10

MEDIUM

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages.

When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.

This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Basic Information

ID CVE-2026-48615

Source hackerone

Published Jun 26, 2026 at 01:14

Affected Product

Vendor nodejs

Product node

Version 22.22.3

Affected Versions nodejs node 22.22.3
nodejs node 24.16.0
nodejs node 26.3.0

CWE Classification

CWE-359

References

nodejs.org /en/blog/vulnerability/june-2026-security-releases

{
    "lastseen": "",
    "description": "A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages.\r\n\r\nWhen proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.",
    "published": "2026-06-26T01:14:36.524Z",
    "modified": "2026-06-26T01:14:36.524Z",
    "type": "cve",
    "title": "CVE-2026-48615",
    "source": "hackerone",
    "references": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases",
    "id": "CVE-2026-48615",
    "bulletinFamily": "",
    "cwe": [
        "CWE-359"
    ],
    "cvelist": null,
    "sourceData": "nodejs node 22.22.3\nnodejs node 24.16.0\nnodejs node 26.3.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.9,
        "severity": "MEDIUM",
        "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "node",
    "version": "22.22.3",
    "vendor": "nodejs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}