A flaw in Node.js TLS hostname handling can cause Node.js...
High severity
Unreviewed
Published
Jun 26, 2026
to the GitHub Advisory Database
•
Updated Jul 15, 2026
Description
Published by the National Vulnerability Database
Jun 26, 2026
Published to the GitHub Advisory Database
Jun 26, 2026
Last updated
Jul 15, 2026
A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat.
This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations.
This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.
References