CVE-2026-48615

Summary

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in ERR_PROXY_TUNNEL error messages.

When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Affected Software

VendorProductVersion RangeStatus
nodejsnode22.22.3 <= 22.22.3affected
nodejsnode24.16.0 <= 24.16.0affected
nodejsnode26.3.0 <= 26.3.0affected

Weaknesses

  • CWE-359: CWE-359 Privacy Violation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References