Detections
Analytics

Alpine: nodejs: security update to 22.23.0-r0

critical Tenable Cloud Security Plugin ID 443746

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

 - A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority
 rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported
 release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. (CVE-2026-48930)

 - A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error
 messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling
 paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all
 supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. (CVE-2026-48615)

 - A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path
 Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under
 affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js
 24**, and **Node.js 26**. (CVE-2026-48617)

 - A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls
 wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can
 lead to confidentiality impact or bypass of the intended security boundary under affected configurations.
 This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js
 26**. (CVE-2026-48618)

 - A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could
 lead to an Out of Memory error on the client. This vulnerability affects all supported release lines:
 **Node.js 22**, **Node.js 24**, and **Node.js 26**. (CVE-2026-48619)

Solution

Update the nodejs library and its related packages to version 22.23.0-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-48615

https://security.alpinelinux.org/vuln/CVE-2026-48617

https://security.alpinelinux.org/vuln/CVE-2026-48618

https://security.alpinelinux.org/vuln/CVE-2026-48619

https://security.alpinelinux.org/vuln/CVE-2026-48928

https://security.alpinelinux.org/vuln/CVE-2026-48930

https://security.alpinelinux.org/vuln/CVE-2026-48931

https://security.alpinelinux.org/vuln/CVE-2026-48933

https://security.alpinelinux.org/vuln/CVE-2026-48934

https://security.alpinelinux.org/vuln/CVE-2026-48935

https://security.alpinelinux.org/vuln/CVE-2026-48937

Plugin Details

Severity: Critical

ID: 443746

Version: Revision 1.4

Type: Local

Published: 6/21/2026

Updated: 6/29/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-48930

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 6/18/2026

Reference Information

CVE: CVE-2026-48615, CVE-2026-48617, CVE-2026-48618, CVE-2026-48619, CVE-2026-48928, CVE-2026-48930, CVE-2026-48931, CVE-2026-48933, CVE-2026-48934, CVE-2026-48935, CVE-2026-48937