CVE Catalog

CVE-2026-48931

LowCVSS 3.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

28th percentile — higher than 28% of all known CVEs

Summary

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is sent before the client has sent the request. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Risk Assessment

An attacker could exploit this vulnerability to inject a fake response, potentially leading to data integrity breaches or man-in-the-middle attacks.

Recommendation

It is recommended to immediately update Node.js to the latest patched version for the used release line (22, 24, or 26).

Original NVD description (English source)

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS