CVE Catalog

CVE-2026-48937

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

31th percentile — higher than 31% of all known CVEs

Summary

A flaw in Node.js HTTP/2 server API allows servers to keep accepting data even after sending a `GOAWAY` frame. This affects **Node.js 22** and **Node.js 24**.

Risk Assessment

This vulnerability may lead to uncontrolled data processing by the server, potentially impacting the stability and security of applications.

Recommendation

It is recommended to update to the latest version of Node.js to mitigate the risks associated with this vulnerability.

Original NVD description (English source)

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS