CVE-2026-48937 PUBLISHED

Assigner: hackerone
Reserved: 26.05.2026 Published: 18.06.2026 Updated: 18.06.2026

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affects two supported release lines: Node.js 22 and Node.js 24.

Metrics

CVSS 3.0

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	Low

CVSS 3.0

Product Status

Vendor	nodejs
Product	node
Versions	Default: unaffected affected from 22.22.3 to 22.22.3 (incl.) affected from 24.16.0 to 24.16.0 (incl.)

References

https://nodejs.org/en/blog/vulnerability/june-2026-security-releases
https://hackerone.com/reports/3658225

Problem Types

CWE-400 Uncontrolled Resource Consumption CWE