A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
PUBLISHED5.2CWE-367
Problem type
Affected products
nodejs
node
<= 22.22.3 - AFFECTED
<= 24.16.0 - AFFECTED
<= 26.3.0 - AFFECTED
References
GitHub Security Advisories
GHSA-w88c-7765-q5gg
A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before...
https://github.com/advisories/GHSA-w88c-7765-q5ggA flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request.
This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-48931
nodejs.org
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases
github.com
https://github.com/nodejs/node/issues/63989
jdstaerk.substack.com
https://jdstaerk.substack.com/p/nodejs-security-fix-silently-broke
github.com
https://github.com/advisories/GHSA-w88c-7765-q5gg
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-48931Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-48931",
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"dateUpdated": "2026-06-22T21:53:26.126Z",
"dateReserved": "2026-05-26T15:00:06.427Z",
"datePublished": "2026-06-22T18:59:30.822Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone",
"dateUpdated": "2026-06-22T18:59:30.822Z"
},
"descriptions": [
{
"lang": "en",
"value": "A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request.\r\n\r\nThis vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**."
}
],
"affected": [
{
"vendor": "nodejs",
"product": "node",
"defaultStatus": "unaffected",
"versions": [
{
"version": "22.22.3",
"status": "affected",
"versionType": "semver",
"lessThanOrEqual": "22.22.3"
},
{
"version": "24.16.0",
"status": "affected",
"versionType": "semver",
"lessThanOrEqual": "24.16.0"
},
{
"version": "26.3.0",
"status": "affected",
"versionType": "semver",
"lessThanOrEqual": "26.3.0"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
"cweId": "CWE-367",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://nodejs.org/en/blog/vulnerability/june-2026-security-releases"
}
],
"metrics": [
{
"cvssV3_0": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"baseScore": 3.7,
"baseSeverity": "LOW"
}
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE",
"dateUpdated": "2026-06-22T21:53:26.126Z"
},
"title": "CVE Program Container",
"references": [
{
"url": "https://jdstaerk.substack.com/p/nodejs-security-fix-silently-broke"
},
{
"url": "https://github.com/nodejs/node/issues/63989"
}
]
}
]
}
}