CVE-2026-48937

Summary

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affects two supported release lines: Node.js 22 and Node.js 24.

Affected Software

VendorProductVersion RangeStatus
nodejsnode22.22.3 <= 22.22.3affected
nodejsnode24.16.0 <= 24.16.0affected

Weaknesses

  • CWE-400: CWE-400 Uncontrolled Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References