CVE Catalog

CVE-2026-48615

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.39%

31th percentile — higher than 31% of all known CVEs

Summary

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.

Risk Assessment

The risk involves potential leakage of sensitive proxy credentials into system logs or other diagnostic sources, which could enable unauthorized access to network resources.

Recommendation

It is recommended to immediately update Node.js to the latest patched version for release lines 22, 24, and 26. Also review and sanitize existing logs for potentially exposed credentials.

Original NVD description (English source)

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS