CVE-2026-48618

CVSS Details

Description

A flaw in Node.js TLS hostname handling causes a unicode dot separator handling issue that can lead to a TLS wildcard-depth authentication bypass. The mismatch arises because the resolver and the certificate verifier normalize hostnames differently: unicode characters that are treated as dot separators by one component but not the other allow a wildcard certificate to match a hostname at an unintended label depth. This can lead to a confidentiality impact or a bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.