EOL Software
Jul 9, 2026

Node.js June 2026 Security Releases: Patches for EOL Node 18 and 20

Addressing June 2026 CVEs and Providing Security Coverage for End-of-Life Versions

Give me the TL;DR
Node.js June 2026 Security Releases: Patches for EOL Node 18 and 20
For Qualys admins, NES for .NET directly resolves the EOL/Obsolete Software:   Microsoft .NET Version 6 Detected vulnerability, ensuring your systems remain secure and compliant. Fill out the form to get pricing details and learn more.

Twelve CVEs were patched upstream in Node 22, 24, and 26. Ten of them reach the end-of-life 18.x and 20.x lines, which still pulled over 135 million downloads in June.

On June 18, 2026, the Node.js project shipped security releases for the 22.x, 24.x, and 26.x lines, fixing twelve CVEs: two High, six Medium, and four Low severity. The batch includes a WebCrypto flaw that lets a remote attacker crash the process (CVE-2026-48933), a TLS wildcard authentication bypass (CVE-2026-48618), and a cluster of hostname-handling flaws that undermine TLS and mTLS trust decisions. Node.js 18 and Node.js 20 received nothing upstream: both lines are past end of life, and as the advisory itself notes, "End-of-Life versions are always affected when a security release occurs." Ten of the twelve CVEs reach the 18.x and 20.x lines. HeroDevs shipped patched NES releases for both within a week.

Running Node 18 or Node 20 past end of life? See Node.js NES.

What shipped upstream on June 18

The upstream fixes landed in Node.js v22.23.0, v24.17.0, and v26.3.1. Alongside the twelve CVE fixes, the release bumped several security-relevant dependencies across all supported lines: llhttp 9.4.2, nghttp2 1.69.0, and OpenSSL 3.5.7, plus undici updates per line.

The most interesting pattern in this batch: four of the twelve CVEs are TLS or mTLS trust failures rooted in hostname handling. Unicode dot separators, embedded NUL bytes, uppercase SNI mismatches, and session reuse across servernames all produced ways for a connection to be treated as authenticated to the wrong host. Three of the four were reported by the same researcher, which looks less like a lucky find and more like a systematic audit of Node's hostname handling. Expect more from this bug class.

Node 18 and Node 20 are EOL. They are anything but gone.

Node.js 18 reached end of life on April 30, 2025. Node.js 20 reached end of life on April 30, 2026. Neither line receives upstream security fixes.

The download numbers tell a different story about actual usage. Per the Node.js download statistics project, here is how June 2026 version-attributed downloads break out:

Two months after its EOL date, Node 20 is still the third-most-downloaded release line on the planet, out-downloading the brand-new Node 26 line three to one. Node 18, fourteen months past end of life, nearly matches Node 26 on its own.

Combined, the two EOL lines were downloaded more than 135 million times in June. That is roughly 4.5 million downloads per day, and about one in six version-attributed Node.js downloads. Every one of those installs is exposed to the vulnerabilities below unless it is running a remediated build.

The full June CVE list, and what it means for Node 18 and 20

The table below maps each June CVE to the HeroDevs NES releases for the two EOL lines: Node.js NES v18.20.18 and Node.js NES v20.20.3, both released June 25, 2026.

CVSS scores are the NVD-published CVSS 3.1 base scores as of July 3, 2026, with v3.0 CNA scores shown where NVD analysis is still pending. The two Permission Model CVEs are N/A for Node 18 because the Permission Model was introduced in Node 20. CVEs marked "Not listed" do not appear in that line's June NES release notes; per-line applicability determinations are published as VEX statements alongside each release.

Two June CVEs are absent from the table by design. CVE-2026-48615 (proxy credentials leaked in ERR_PROXY_TUNNEL errors) involves proxy tunnel handling that is not listed as affecting either NES line, and CVE-2026-48936 affects only Node.js 26 per the upstream advisory.

Two scores worth a second look

Severity labels diverge on two of these CVEs, and readers who triage by score should know both numbers.

CVE-2026-48930 (embedded NUL hostnames). The Node.js advisory classifies it Medium, and the CNA scored it 5.6 on CVSS 3.0. NVD's independent analysis scored it 9.8 Critical on CVSS 3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The gap reflects different assumptions about exploit preconditions, but silent authority rebinding on TLS connections is exactly the kind of flaw that deserves the conservative read. If you triage on NVD scores, this is the Critical hiding in a Medium batch.

CVE-2026-48618 (Unicode dot wildcard bypass). The advisory labels it High. NVD scored 6.5 on CVSS 3.1 while the CNA scored 7.7 on CVSS 3.0. Either way, a certificate validation bypass in TLS hostname verification belongs at the top of your patch queue if you terminate or originate TLS in Node.

How to get patched

Migration to a supported line is always the first recommendation. But migrations take quarters, and the June CVEs are live now. Node.js NES exists for exactly this gap: source-available, drop-in replacement builds of Node 18 and 20 that keep receiving security remediations after upstream support ends, so the migration can happen on your schedule instead of an attacker's.

Both NES releases shipped June 25, 2026, one week after the upstream disclosure. That cadence is the product: every upstream security release gets evaluated against the EOL lines, and applicable fixes ship as new NES builds with published release notes and VEX statements.

Why HeroDevs is the remediation path the Node.js project points to

This is not an aftermarket patch shop guessing at diffs. HeroDevs is an official partner of the Node.js project through the OpenJS Foundation, and was the inaugural partner in the OpenJS Ecosystem Sustainability Program. The Node.js project's own security release page directs users needing commercial support for versions past Maintenance LTS to its Ecosystem Sustainability Program partners. Part of the value of that partnership flows back upstream: it funds ongoing Node.js development and security work on the versions everyone uses.

For the June batch specifically, that means Node 18 and Node 20 users get remediations built by engineers working alongside the project, published with per-CVE release notes and machine-readable VEX statements your scanners can consume.

Taking action

If you are on a supported line, upgrade this week; the TLS hostname cluster alone justifies it. If you are among the 135 million monthly downloads still on Node 18 or Node 20, you have two real options: accelerate the migration, or get patched where you stand with Node.js NES. NES v18.20.18 and v20.20.3 are available now as drop-in replacements, with the June remediations already applied.

For the broader EOL picture, see our reference on Node.js end-of-life dates, our coverage of the March 2026 Node.js security release, and our guides to what EOL means in practice for Node 20 and Node 18. And if you want to talk through coverage for your specific stack, get in touch.

Table of Contents
Author
Greg Allen
Chief Technology Officer
Open Source Insights Delivered Monthly