Authentication bypass due to TLS hostname handling and unicode dot separator mismatch
Summary
A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. A flaw was found in Node.js. This flaw involves a mismatch in how Node.js handles TLS (Transport Layer Security) hostnames and unicode dot separators during authentication. This mismatch can lead to a wildcard-depth authentication bypass. An attacker could exploit this to bypass intended security boundaries, potentially leading to unauthorized access and confidentiality impact. This Important flaw in Node.js allows for a TLS wildcard-depth authentication bypass due to a mismatch in how hostnames and unicode dot separators are handled during authentication. This could enable an attacker to circumvent security boundaries, potentially leading to unauthorized access and compromise of sensitive information in applications utilizing Node.js for TLS connections. The issue affects Node.js versions 22, 24, and 26 as shipped in Red Hat products. Red Hat severity: Important — CVSS 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). Weakness: CWE-289. Fixed by RHSA-2026:35841, RHSA-2026:35842, RHSA-2026:28727, RHSA-2026:29012, RHSA-2026:30172, RHSA-2026:7378 and more — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Enterprise Linux 10; Red Hat Hardened Images.
- nodejs20-main-20.20.2-1.hum1
- nodejs22-main-22.23.1-1.hum1
- nodejs24-main-24.18.0-0.1.hum1
- nodejs26-main-26.4.0-1.2.hum1
- nodejs25-main-25.9.0-1.1.hum1
- nodejs24-1:24.18.0-1.el10_2
- nodejs22-1:22.23.1-2.el10_2
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
- nodejs24-1:24.18.0-1.el10_2
- nodejs22-1:22.23.1-2.el10_2
- nodejs22-main-22.23.1-1.hum1
- nodejs24-main-24.18.0-0.1.hum1
- nodejs26-main-26.4.0-1.2.hum1
- nodejs25-main-25.9.0-1.1.hum1
- nodejs20-main-20.20.2-1.hum1
- RHSA-2026:35841
- RHSA-2026:35842
- RHSA-2026:28727
- RHSA-2026:29012
- RHSA-2026:30172
- RHSA-2026:7378
- RHSA-2026:9455
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.