CVE-2026-48931
LowCVSS 3.7Exploitation Probability (EPSS)
Low risk28th percentile — higher than 28% of all known CVEs
Summary
A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is sent before the client has sent the request. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
Risk Assessment
An attacker could exploit this vulnerability to inject a fake response, potentially leading to data integrity breaches or man-in-the-middle attacks.
Recommendation
It is recommended to immediately update Node.js to the latest patched version for the used release line (22, 24, or 26).
Original NVD description (English source)
A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

