Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Unrated

Node.js embedded-NUL hostname authority rebinding flaw

IdentifiersCVE-2026-48930CWE-170

CVE-2026-48930 is a medium-severity Node.js TLS/hostname handling vulnerability in which embedded null bytes in hostnames are not handled safely across hostname processing and resolver bindings. According to the provided context, an embedded-NUL hostname can be truncated in C-string-based resolver bindings, causing the effective hostname used by lower-level resolution logic to differ from the full hostname seen by higher-level validation logic. This mismatch can result in silent authority rebinding during hostname handling and verification. The issue affects supported Node.js 22.x, 24.x, and 26.x release lines prior to the fixed releases referenced in the June 2026 security updates.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause silent authority rebinding, allowing an attacker to manipulate how a hostname is interpreted across validation and resolution boundaries. This can undermine hostname-based trust decisions, potentially enabling security restriction bypass, spoofing, data manipulation, or sensitive information disclosure depending on the application’s trust model and how Node.js hostname verification is used.

Mitigation

If you can’t patch tonight, do this now.

Until patching is completed, reject or sanitize hostnames containing embedded null bytes before passing them to Node.js networking or TLS APIs; enforce strict hostname canonicalization and validation at application boundaries; avoid relying on inconsistent hostname representations across layers; and restrict outbound connections or trust decisions based on untrusted attacker-supplied hostnames where possible. These are partial mitigations only; upgrading is the definitive fix.

Remediation

Patch, then assume compromise.

Upgrade Node.js to a fixed release from the June 2026 security updates. The provided context identifies fixed versions including v22.23.0, v24.17.0, and v26.3.1; another cited source references patched versions v22.23.1, v24.17.1, and v26.3.2. At minimum, deploy the latest available patched release in the affected major line and avoid unsupported/end-of-life versions.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-48930
NVD
nvd.nist.gov/vuln/detail/CVE-2026-48930
MITRE CWE · CWE-170
cwe.mitre.org