CVE-2026-48930

CVSS Details

Description

A flaw in Node.js TLS hostname handling allows embedded-nul hostnames to cause silent authority rebinding. Because the resolver bindings treat hostnames as C strings, a hostname containing an embedded NUL byte is truncated at the NUL, causing the connection to be resolved and authority-checked against a different host than the full string represents. This discrepancy between the intended hostname and the truncated value can silently rebind the connection authority, bypassing the intended security boundary. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.