CVE-2026-48933

Summary

A flaw in Node.js WebCrypto implementation can crash the process if the input of subtle.encrypt() is a multiple of 2GiB.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Affected Software

VendorProductVersion RangeStatus
nodejsnode22.22.3 <= 22.22.3affected
nodejsnode24.16.0 <= 24.16.0affected
nodejsnode26.3.0 <= 26.3.0affected

Weaknesses

  • CWE-190: CWE-190 Integer Overflow

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

nodejs: Node.js WebCrypto: Denial of Service via large input to subtle.encrypt()

Additional References

References