CVE-2026-48615
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk31th percentile — higher than 31% of all known CVEs
Summary
A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.
Risk Assessment
The risk involves potential leakage of sensitive proxy credentials into system logs or other diagnostic sources, which could enable unauthorized access to network resources.
Recommendation
It is recommended to immediately update Node.js to the latest patched version for release lines 22, 24, and 26. Also review and sanitize existing logs for potentially exposed credentials.
Original NVD description (English source)
A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

