CVE Catalog

CVE-2026-48933

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

High risk
2.45%

82th percentile — higher than 82% of all known CVEs

Summary

A flaw in Node.js WebCrypto implementation crashes the process when the input of `subtle.encrypt()` is a multiple of 2 GiB. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Risk Assessment

An attacker can intentionally provide large input data for encryption, causing the Node.js process to crash and disrupting application availability (DoS).

Recommendation

Immediately update Node.js to the latest patched version for your release line (22, 24, or 26).

Original NVD description (English source)

A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS