Vulnerability Details CVE-2026-48931
A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 25.4%
CVSS Severity
CVSS v3 Score 3.7
Products affected by CVE-2026-48931
-
cpe:2.3:a:nodejs:node.js:22.22.3
-
cpe:2.3:a:nodejs:node.js:24.16.0
-
cpe:2.3:a:nodejs:node.js:26.3.0