CVE Catalog
CVE-2026-48937
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk0.40%
31th percentile — higher than 31% of all known CVEs
Summary
A flaw in Node.js HTTP/2 server API allows servers to keep accepting data even after sending a `GOAWAY` frame. This affects **Node.js 22** and **Node.js 24**.
Risk Assessment
This vulnerability may lead to uncontrolled data processing by the server, potentially impacting the stability and security of applications.
Recommendation
It is recommended to update to the latest version of Node.js to mitigate the risks associated with this vulnerability.
Original NVD description (English source)
A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**.

