Node.js shipped coordinated security releases on June 18, 2026, patching 12 CVEs across all three active release lines — 22.x (Maintenance LTS), 24.x (Active LTS), and 26.x (Current). Two of the twelve carry a HIGH severity rating, which means this is a patch-this-week batch, not a patch-next-sprint one.
The two HIGH-severity issues are the headline. CVE-2026-48933 lets an attacker crash a Node process by passing input that is a multiple of 2 GiB to the WebCrypto subtle.encrypt() call — a denial-of-service trigger that file-encryption pipelines can hit without any malice at all. CVE-2026-48618 is a TLS hostname normalization flaw that can bypass wildcard-certificate verification, the most common certificate pattern in multi-tenant SaaS.
This guide does three things: it walks through what each HIGH CVE actually does and who is exposed, it gives you a CVE-by-module breakdown so the right team owns the right fix, and it lays out the one-command upgrade paths for nvm, fnm, Volta, and Docker — plus the one hidden breaking change buried inside this release that npm audit fix can trip silently.
- 01Twelve CVEs shipped on June 18 — two rated HIGH.Node.js patched all three active lines (22.23.0, 24.17.0, 26.3.1) in a single coordinated release. The two HIGH issues — a WebCrypto crash and a TLS wildcard bypass — affect every supported line and should be patched this week.
- 02The 2 GiB crypto crash is easy to trigger by accident.CVE-2026-48933 aborts the process when subtle.encrypt() receives input that is a multiple of 2 GiB. File-encryption workflows that stream large uploads through WebCrypto can hit this with no attacker involved — it is a DoS, not just a theoretical edge case.
- 03Wildcard cert holders are the TLS-bypass blast radius.CVE-2026-48618 stems from a Unicode dot-separator normalization mismatch in TLS hostname checks. Teams relying on *.example.com certificates and Node's built-in identity verification are the at-risk population for the wildcard-depth authentication bypass.
- 04Node 24 'Krypton' is the recommended upgrade target.Node 24 is in Active LTS through October 2026, then Maintenance LTS to April 2028. Node 22 is security-only until April 2027; Node 26 is Current, not yet production-recommended; Node 20 reached End of Life on April 30, 2026 and gets no official patch.
- 05Watch the nghttp2 SEMVER-MAJOR breaking change.The nghttp2 1.69.0 bump on the 22.x and 24.x lines removes HTTP/2 priority signaling. Code calling http2session.setPriority() or http2stream.priority() can throw after the upgrade — remove those calls first, and regenerate lockfiles after any dependency bumps.
01 — What ShippedA coordinated release across three active lines.
On June 18, 2026, the Node.js project published security updates for every supported release line at once: 22.23.0 (codename Jod), 24.17.0 (codename Krypton), and 26.3.1 (Current — no LTS codename yet). Antoine du Hamel managed all three releases. The advisory groups twelve distinct CVEs across the WebCrypto, TLS, HTTP/2, HTTP, DNS, and Permission Model subsystems.
Most of the twelve are MEDIUM or LOW, but the two HIGH-severity issues — one in crypto, one in TLS — are the reason this release warrants an immediate look rather than a scheduled maintenance window. Both HIGH CVEs affect all three active lines, so there is no version you can be running today that is unaffected, short of an already-patched build.
Node 26.3.1
The latest channel, first shipped May 5, 2026 with Temporal enabled by default. Gets every CVE in this batch, including the one Permission Model issue that affects only the 26.x line. Not production-recommended until it enters LTS in October 2026.
Node 24.17.0
The recommended target for new production deployments. Active LTS runs through October 2026, then Maintenance LTS until April 30, 2028. Carries both HIGH-severity fixes plus the nghttp2 breaking change.
Node 22.23.0
Maintenance LTS — receiving security patches only, no new features. Still a fully supported, fully patched line until April 30, 2027. Like Node 24, it picks up the nghttp2 SEMVER-MAJOR change in this release.
02 — HIGH · CryptoThe 2 GiB crypto crash (CVE-2026-48933).
CVE-2026-48933 is a HIGH-severity flaw in the Node.js WebCrypto implementation. When the input to subtle.encrypt() is a multiple of 2 GiB, the process aborts — a denial of service. The root cause is that the WebCrypto cipher output length was not guarded against integer overflow at that threshold. Filip Skokan authored the fix, which landed in all three release lines.
A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB.— Node.js June 2026 Security Releases advisory
What makes this one urgent is that the trigger is not exotic. Consider a Next.js API route that encrypts a large file upload — a video, a database export, a backup archive — by buffering it and handing it to subtle.encrypt() in one shot. A 2 GiB upload lands squarely on the failure condition, and the process dies. No attacker is required: an honest user uploading a large file can take the service down. That is the difference between a theoretical DoS and an operational one.
The fix guards the cipher output length so the overflow can no longer occur. There is no application-level mitigation that fully closes the gap short of patching — you can cap upload sizes or chunk encryption below the 2 GiB boundary as a stopgap, but those are workarounds, not fixes. Upgrade to a patched build and remove the stopgaps once you have.
subtle.encrypt() — file-encryption pipelines, client-side encryption proxies, backup tooling, large-payload signing flows. If your upload limits allow 2 GiB or larger payloads to reach a WebCrypto call, treat this as actively reachable in production, not as an edge case.03 — HIGH · TLSTLS wildcard bypass via Unicode normalization (CVE-2026-48618).
CVE-2026-48618 is the second HIGH-severity issue. It lives in Node.js TLS hostname handling: the runtime did not normalize Unicode dot separators during server identity checks, creating a resolver-versus-verifier normalization mismatch. Under affected configurations, that mismatch can bypass TLS wildcard-depth authentication — a confidentiality impact or a bypass of the intended security boundary. Matteo Collina authored the fix.
A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling to lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismatch, which can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.— Node.js June 2026 Security Releases advisory
The practical exposure here is wildcard certificates. A *.example.com certificate is the default pattern for multi-tenant SaaS, where one cert covers an arbitrary number of tenant subdomains. Teams relying on Node’s built-in tls.checkServerIdentity() with wildcard certs are the specific at-risk population — the normalization mismatch is what lets an attacker present a hostname that passes the verifier but resolves differently, defeating the wildcard depth restriction.
If your architecture terminates TLS at a load balancer or reverse proxy and Node only talks plaintext on a trusted internal network, your blast radius is smaller — but Node-to-Node and Node-to-upstream TLS with wildcard certs is exactly the pattern this CVE targets. Where you run TLS-heavy public endpoints, pair the patch with sane rate-limiting on public HTTP/2 endpoints so a compromised path cannot be hammered cheaply.
June 18, 2026 CVEs by severity · 12 total
Source: Node.js June 2026 security advisory + release notes04 — Full CVE ListEvery CVE in the batch, grouped by module.
Most coverage lists these CVEs in severity order. We group them by affected module instead, so the right team owns the right fix: your TLS reviewers take four, your HTTP team takes four, your crypto path takes one, and your Permission Model work takes three. The Breaking? column flags the single CVE in this batch tied to a behavior-changing dependency bump.
| CVE | Severity | Component | Lines | Vector | Breaking? | Author |
|---|---|---|---|---|---|---|
| TLS · transport security | ||||||
| CVE-2026-48618 | HIGH | TLS hostname check | 22 · 24 · 26 | Remote (network) | No | Matteo Collina |
| CVE-2026-48928 | MEDIUM | TLS / SNI matching | 22 · 24 · 26 | Remote (network) | No | Matteo Collina |
| CVE-2026-48934 | MEDIUM | TLS session reuse | 22 · 24 · 26 | Remote (network) | No | Matteo Collina |
| CVE-2026-48930 | MEDIUM | DNS / Net (NUL bytes) | 22 · 24 · 26 | Remote (network) | No | Matteo Collina |
| HTTP & HTTP/2 | ||||||
| CVE-2026-48619 | MEDIUM | HTTP/2 originSet (node:http2) | 22 · 24 · 26 | Remote (ORIGIN frames) | No | Matteo Collina |
| CVE-2026-48615 | MEDIUM | HTTP proxy tunnel logs | 22 · 24 · 26 | Remote (error logs) | No | Matteo Collina |
| CVE-2026-48937 | MEDIUM | nghttp2 integration | 22 · 24 only | Remote (HTTP/2) | Yes — priority API removed | Node.js project |
| CVE-2026-48931 | LOW | http.Agent (node:http) | 22 · 24 · 26 | Remote (TOCTOU race) | No | Matteo Collina |
| Crypto | ||||||
| CVE-2026-48933 | HIGH | WebCrypto subtle.encrypt() | 22 · 24 · 26 | Input-controlled | No | Filip Skokan |
| Permission Model | ||||||
| CVE-2026-48617 | LOW | process.report.writeReport() | 22 · 24 · 26 | Local | No | RafaelGSS |
| CVE-2026-48935 | LOW | FileHandle.utimes() | 22 · 24 · 26 | Local | No | RafaelGSS |
| CVE-2026-48936 | LOW | Unix domain socket scope | 26 only | Local | No | RafaelGSS |
The authorship concentration is itself a useful signal: Matteo Collina authored the bulk of the TLS and HTTP fixes, RafaelGSS owns the three Permission Model hardening fixes, and Filip Skokan owns the WebCrypto crash. The Permission Model fixes are LOW-severity and local-only — they matter most to teams running Node with the experimental --permission flag, and one of them (CVE-2026-48936) affects only the 26.x line. If you are not using the permission model in production, those three drop down your priority list.
05 — Supported LinesWhich lines get the patch — and which do not.
The June 18 batch patches Node 22, 24, and 26. It does not patch Node 20, which reached End of Life on April 30, 2026. That is the operationally important fact in this release: any organization still running Node 20 in production has zero official mitigation path for these CVEs from the Node.js project itself. The clock on that exposure started weeks ago, and it does not reset.
Node.js 20 · Iron
Reached End of Life on April 30, 2026. Receives no patches from the Node.js project, including this June 18 batch. Commercial extended-support vendors (such as HeroDevs) can cover Node 20 beyond EOL, but there is no official path.
Node.js 24 · Krypton
Active LTS through October 2026, then Maintenance LTS until April 30, 2028. The recommended target for new production deployments. Latest build is 24.17.0, which carries both HIGH-severity fixes.
Node.js 26 · no codename
Current channel since May 5, 2026, ships Temporal by default and V8 14.6. Latest is 26.3.1. Fully patched, but not production-recommended until it enters LTS in October 2026 — codenames are only assigned at that point.
One vocabulary point worth getting right, because it changes the upgrade advice: Node 22 is in Maintenance LTS (security patches only), not Active LTS. Node 24 is the one in Active LTS. If you are choosing a line to standardize on for the next two years, Node 24 is the answer — it gives you the longest runway of active feature and security support. Node 22 is a perfectly safe holding line through April 2027 if a major-version bump is not feasible right now.
For teams whose deployment story runs through CI, the single most reliable way to guarantee everyone pulls a patched build is to pin the Node version in the pipeline rather than relying on each developer’s local install. The same CI/CD pipeline hardening discipline that catches dependency drift is what turns a security release into a one-line change in a base image rather than a fleet-wide scramble.
06 — Hidden Breaking ChangeThe breaking change hiding inside a security release.
Security releases are supposed to be safe to apply blindly. This one has a wrinkle. All three lines bump bundled nghttp2 to 1.69.0, and for Node.js that bump is SEMVER-MAJOR: nghttp2 1.69.0 removes HTTP/2 priority signaling support. The corresponding Node deprecation, DEP0194, was already in place, so the runtime behavior change is not arriving unannounced — but it is still a behavior change shipping under a security-release banner.
The concrete risk: code that calls http2session.setPriority() or http2stream.priority() can throw runtime errors after you upgrade to Node 22.23.0 or 24.17.0. Teams that auto-apply npm audit fix — or that bump Node without reading the release notes — can pull this in and silently break HTTP/2 priority calls. Audit for those two call sites before you upgrade, and remove them.
setPriority and .priority( on HTTP/2 sessions and streams. If you find call sites, remove them before upgrading — HTTP/2 priority signaling is gone in nghttp2 1.69.0 and those calls can throw. And regenerate your lockfiles after any dependency bumps so the patched transitive versions are actually pinned.07 — Upgrade PathsPatch commands by tool.
Each upgrade path is essentially one command. The wrinkle is never the runtime swap; it is the cleanup afterward — regenerating lockfiles, rebuilding native modules, and re-running your test suite against the new line. Pick the path that matches your version manager.
nvm install 24
Installs the latest 24.x and activates it for the current shell. Set it as the default with nvm alias default 24. Re-run npm install to rebuild native modules against the new line, then regenerate your lockfile.
fnm install --lts
Pulls the latest LTS — Node 24 today — and switches the active version. fnm is the fast Rust-based manager; pair it with an .node-version file so the whole team and CI land on the same patched build.
volta install node@24
Pins Node 24 per project via Volta's toolchain manifest, so every contributor and every CI run uses the identical version automatically. Commit the volta block in package.json so the pin travels with the repo.
FROM node:24.17.0-alpine
Pin the exact patched tag in your Dockerfile FROM line for reproducible builds, or FROM node:24-alpine to track the line and pick up future patches on rebuild. Rebuild and redeploy the image so production actually runs the patched binary.
llhttp 9.4.2, nghttp2 1.69.0, OpenSSL 3.5.7 — are pinned, and re-run your full test suite against the new line. A patched runtime with a stale lockfile is a half-applied patch. Webhook senders and other long-lived HTTP clients should re-verify behavior too, since the http.Agent fix changes connection-pool semantics — see our notes on webhook delivery reliability.08 — Patch UrgencyHow fast you should patch, by exposure.
Not every workload carries the same urgency. The right move is to map your actual surface area to the two HIGH CVEs, then schedule accordingly. Here is how we would triage it for a typical production fleet.
Large-payload encryption
If any path can send 2 GiB or larger input to subtle.encrypt() — file-encryption pipelines, backup tooling, client-side encryption proxies — CVE-2026-48933 is actively reachable. Patch this week and cap upload sizes as an interim stopgap.
Wildcard TLS certificates
If you run *.example.com wildcard certs with Node's built-in tls.checkServerIdentity(), CVE-2026-48618 puts your identity verification at risk. Patch this week; where TLS terminates at a proxy and Node talks plaintext internally, your blast radius is smaller.
No crypto or wildcard exposure
Apps that don't touch large WebCrypto payloads or wildcard TLS still inherit the MEDIUM HTTP/2 and DNS fixes. Roll the patch into your next scheduled deploy, but read the nghttp2 note first if you use HTTP/2 priority calls.
End-of-life runtime
Node 20 hit EOL on April 30, 2026 and gets no official patch for any of these CVEs. The only paths are an upgrade to Node 24 (recommended) or commercial extended support. Treat the upgrade itself as the security fix.
The broader pattern this release reinforces is that the modern Node.js attack surface is overwhelmingly in the network and crypto layers — TLS, HTTP/2, DNS, WebCrypto — not in application logic. Most of the twelve fixes touch transport or network security. As more services move to HTTP/2 and rely on built-in TLS rather than a proxy tier, that surface grows, and the value of patching promptly compounds with it.
Looking forward, the operational takeaway outlasts this specific batch: version-pin your runtime in CI, read the release notes for the one SEMVER-MAJOR change hiding in an otherwise routine security release, and get off End-of-Life lines before the next coordinated disclosure leaves you with no official path. The teams that handle June 18 in an afternoon are the ones who already pin Node in a base image and treat a security release as a one-line bump, not a fire drill.
09 — ConclusionPatch the two HIGH CVEs first.
Two HIGH CVEs, three patched lines, one breaking change to watch.
The June 18, 2026 Node.js releases patch twelve CVEs across the 22.x, 24.x, and 26.x lines. The two that matter most are HIGH: a WebCrypto crash that any 2 GiB encryption payload can trigger, and a TLS wildcard-verification bypass that puts multi-tenant SaaS identity checks at risk. Both affect every supported line, so there is no version you can stand still on.
The upgrade itself is one command per tool — nvm, fnm, Volta, or Docker — but the discipline around it is what separates a clean patch from a regression. Regenerate your lockfiles, rebuild native modules, and audit for HTTP/2 priority calls before you pull the nghttp2 SEMVER-MAJOR bump. Teams still on Node 20 should treat the upgrade to Node 24 as the fix, because EOL means no official patch is coming.
Beyond this batch, the signal is consistent: the Node.js attack surface now lives in the transport and crypto layers, and the cost of staying current is far lower than the cost of an emergency patch against an exposed fleet. Pin your runtime, read the one breaking note that always hides in these releases, and keep your lines off End of Life. If you want help auditing dependency exposure or standing up a repeatable upgrade pipeline, that is exactly the kind of work our web development engagements take on.