CVE-2026-48931 PUBLISHED

Assigner: hackerone
Reserved: 26.05.2026 Published: 22.06.2026 Updated: 23.06.2026

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Metrics

CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 3.7

Product Status

Vendor nodejs
Product node
Versions Default: unaffected
  • affected from 22.22.3 to 22.22.3 (incl.)
  • affected from 24.16.0 to 24.16.0 (incl.)
  • affected from 26.3.0 to 26.3.0 (incl.)

References

Problem Types

  • CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition CWE