« List of all CVEs

CVE-2026-48615

Published: 6/26/2026 Last updated: 6/26/2026 Reserved: 5/22/2026

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

CNA assigner: hackerone (36234546-b8fa-4601-9d6f-f4e334aa8ea1) Requested by: n/a

Metrics

Version Score Severity Vector String
3.0 5.9 Medium CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Opam packages affected (1)

conf-npm

Products affected (1)

Product Vendor Version
node nodejs < 19.2R3-S1

References (1)