What is CVE-2026-48931?

CVE-2026-48931 is a low-severity vulnerability in Nodejs Node, classified under Time-of-check Time-of-use (TOCTOU) Race Condition. CVSS score: 3.7/10. Published 2026-06-22.

How severe is CVE-2026-48931?

Low severity. CVSS v3 base score is 3.7 out of 10.

Vulnerability in Nodejs Node

CVE-2026-48931

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26*…

Vulnerability class: TOCTOU (Time-of-Check to Time-of-Use)

CVSS v3 metric

CVSS v3 base score 3.7 (Low). Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N.

Affected products

Nodejs Node — versions 22.22.3, 24.16.0, 26.3.0

Weakness classification (CWE)

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition

References

support@hackerone.com
af854a3a-2127-422b-91ae-364da2661108
af854a3a-2127-422b-91ae-364da2661108

Frequently asked questions

What is CVE-2026-48931?: CVE-2026-48931 is a low-severity vulnerability in Nodejs Node, classified under Time-of-check Time-of-use (TOCTOU) Race Condition. CVSS score: 3.7/10. Published 2026-06-22.
How severe is CVE-2026-48931?: Low severity. CVSS v3 base score is 3.7 out of 10.