CVE-2026-48619 in Node.js
Summary
by MITRE • 06/26/2026
A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/26/2026
This vulnerability represents a critical memory exhaustion issue within Node.js HTTP/2 client implementations that stems from inadequate handling of ORIGIN frames in the HTTP/2 protocol stack. The flaw allows malicious servers to exploit the client's processing logic by sending an unlimited number of ORIGIN frames, which are legitimate protocol elements used to define origin sets for HTTP/2 connections. When the Node.js client processes these frames without proper rate limiting or resource constraints, it can accumulate them in memory indefinitely, eventually leading to out-of-memory conditions that cause application crashes or system instability.
The technical implementation of this vulnerability resides in the HTTP/2 client parser's failure to enforce reasonable limits on the number of ORIGIN frames that can be processed during a single connection lifecycle. This issue specifically affects Node.js versions 22, 24, and 26, indicating it is present across multiple active release lines and represents a widespread concern for organizations using these runtime versions. The vulnerability aligns with CWE-770, which addresses allocation of resources without reasonable limits, and can be categorized under ATT&CK technique T1499.001 for resource exhaustion attacks. The root cause demonstrates poor input validation and lack of defensive programming practices in the HTTP/2 protocol implementation.
From an operational perspective, this vulnerability presents significant risk to applications that rely on Node.js HTTP/2 client functionality, particularly those that connect to untrusted or potentially malicious servers. Attackers can exploit this weakness by establishing HTTP/2 connections to vulnerable clients and continuously sending ORIGIN frames until system memory is exhausted, resulting in service disruption and potential denial of service conditions. The impact extends beyond simple application crashes to include broader system stability issues, as memory exhaustion can affect other processes running on the same host systems. Organizations using Node.js applications for web services, API gateways, or microservices architectures face particular risk since these environments often involve connecting to multiple external services that could potentially be compromised.
Mitigation strategies should focus on immediate patching of affected Node.js versions to address the specific HTTP/2 parsing logic that fails to limit ORIGIN frame processing. System administrators should also implement network-level controls such as rate limiting and connection monitoring to detect unusual patterns of ORIGIN frame transmission. Additionally, organizations can employ application-level protections including memory monitoring, connection timeouts, and circuit breaker patterns to prevent complete service exhaustion. The vulnerability highlights the importance of protocol implementation security testing and proper resource management in high-level language runtimes that handle complex network protocols. Organizations should also consider implementing security awareness training for developers working with HTTP/2 implementations to ensure they understand the potential risks associated with protocol-level resource consumption attacks.