All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-48615
HIGHpublished 2026-06-26 02:16 UTC · 3 days ago · modified 2026-06-26 20:18 UTC
7.5
CVSS / 10
// description
A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
// cvss 3.1 vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
// weaknesses (CWE)
- CWE-359