Out of Memory Vulnerability in Node.js HTTP/2 Client Affects Multiple Versions
CVE-2026-48619

5.3MEDIUM

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-48619?

A vulnerability in the Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, potentially resulting in an Out of Memory error on the client side. This issue impacts all currently supported versions of Node.js, specifically Node.js 22, 24, and 26, highlighting the importance of updating to mitigate the risk of service disruption.

Affected Version(s)

node 22.22.3

node 24.16.0

node 26.3.0

References

https://nodejs.org/en/blog/vulnerability/june-2026-securi...

CVSS V3.0

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
May 22, 2026

CVE-2026-48619 Data

JSON

Nodejs

What is CVE-2026-48619?

Affected Version(s)

References

CVSS V3.0

Timeline