CVE-2026-48937

Description

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**.

CVSS breakdown

CVSS 3.0

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Affected products

nodejs / node22.22.3 – 22.22.3
nodejs / node24.16.0 – 24.16.0

References

MISChttps://nodejs.org/en/blog/vulnerability/june-2026-security-releases
MISChttps://hackerone.com/reports/3658225