THE Node.js project has released critical security updates that require immediate application by developers and system administrators to address severe vulnerabilities in versions 22.x, 24.x, and 26.x. Notably, two high-severity flaws, CVE-2026-48933 (a WebCrypto integer overflow leading to potential DoS attacks) and CVE-2026-48618 (a TLS authentication bypass), pose significant risks.
Medium-severity issues have also been addressed, including CVE-2026-48615 (leaking sensitive proxy credentials) and CVE-2026-48619 (unbounded memory growth in HTTP/2 clients). Additionally, several low-severity bugs, including CVE-2026-48617 (path misvalidation) and CVE-2026-48930 (silent authority rebinding), have been fixed. Users are urged to update to the latest secure releases (Node.js v22.23.1, v24.17.1, v26.3.2) to protect against these vulnerabilities.