CVE-2026-48615
- Source
- https://cve.org/CVERecord?id=CVE-2026-48615
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-48615.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-48615
- Downstream
- Related
- Published
- 2026-06-26T01:14:36.524Z
- Modified
- 2026-06-28T04:03:40.061443945Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
A flaw in Node.js proxy tunnel error handling could expose proxy credentials in
ERR_PROXY_TUNNELerror messages.When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.
This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
- Database specific
{ "cna_assigner": "hackerone", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48615.json", "unresolved_ranges": [ { "source": "AFFECTED_FIELD", "extracted_events": [ { "last_affected": "22.22.3" }, { "last_affected": "24.16.0" }, { "last_affected": "26.3.0" } ] } ], "cwe_ids": [ "CWE-359" ] }- References
Affected packages
Git / github.com/nodejs/node
Affected ranges
- Type
- GIT
- Repo
- https://github.com/nodejs/node
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedLast affectedLast affected
- Database specific
{ "source": "CPE_STRING", "extracted_events": [ { "introduced": "0" }, { "last_affected": "22.22.3" }, { "last_affected": "24.16.0" }, { "last_affected": "26.3.0" } ], "cpe": [ "cpe:2.3:a:nodejs:node.js:22.22.3:*:*:*:-:*:*:*", "cpe:2.3:a:nodejs:node.js:24.16.0:*:*:*:-:*:*:*", "cpe:2.3:a:nodejs:node.js:26.3.0:*:*:*:-:*:*:*" ] }
Affected versions
v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.6
v0.1.0
v0.1.1
v0.1.10
v0.1.100
v0.1.101
v0.1.102
v0.1.103
v0.1.104
v0.1.11
v0.1.12
v0.1.13
v0.1.14
v0.1.15
v0.1.16
v0.1.17
v0.1.18
v0.1.19
v0.1.2
v0.1.20
v0.1.21
v0.1.22
v0.1.23
v0.1.24
v0.1.25
v0.1.26
v0.1.27
v0.1.28
v0.1.29
v0.1.3
v0.1.30
v0.1.31
v0.1.32
v0.1.33
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.1.9
v0.1.92
v0.1.93
v0.1.94
v0.1.95
v0.1.96
v0.1.97
v0.1.98
v0.1.99
v0.2.0
v0.3.0
v0.3.1
v0.3.2
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.4.0
v0.5.0
v0.5.1
v0.5.10
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.5-rc1
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.7.0
v0.7.2
v0.7.3
v1.*
v1.0.1
v1.0.1-release
v1.0.2
v1.0.2-release
v1.0.3
v1.0.4
v1.1.0
v1.2.0
v1.3.0
v1.4.1
v1.4.2
v1.4.3
v1.5.0
v1.5.1
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.7.0
v1.7.1
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.1.0
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.4.0
v2.5.0
v22.*
v22.0.0
v22.1.0
v22.10.0
v22.11.0
v22.12.0
v22.13.0
v22.13.1
v22.14.0
v22.15.0
v22.15.1
v22.16.0
v22.17.0
v22.17.1
v22.18.0
v22.19.0
v22.2.0
v22.20.0
v22.21.0
v22.21.1
v22.22.0
v22.22.1
v22.22.2
v22.22.3
v22.3.0
v22.4.0
v22.4.1
v22.5.0
v22.5.1
v22.6.0
v22.7.0
v22.8.0
v22.9.0
v24.*
v24.0.0
v24.0.1
v24.0.2
v24.1.0
v24.10.0
v24.11.0
v24.11.1
v24.12.0
v24.13.0
v24.13.1
v24.14.0
v24.14.1
v24.15.0
v24.16.0
v24.2.0
v24.3.0
v24.4.0
v24.4.1
v24.5.0
v24.6.0
v24.7.0
v24.8.0
v24.9.0
v26.*
v26.0.0
v26.1.0
v26.2.0
v26.3.0
v3.*
v3.0.0