A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
| Version | Score | Severity | Vector String |
|---|---|---|---|
| 3.0 | 5.6 | Medium | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
| Product | Vendor | Version |
|---|---|---|
| node | nodejs | < 5381.1000 |