Improper Handling of Unicode Encoding Affecting nodejs package, versions [22.20.0,]


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.67% (48th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CONAN-NODEJS-17674770
  • published29 Jun 2026
  • disclosed26 Jun 2026
  • credittmeletlidis

Introduced: 26 Jun 2026

NewCVE-2026-48618  (opens in a new tab)
CWE-176  (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

Affected versions of this package are vulnerable to Improper Handling of Unicode Encoding in the checkServerIdentity function in lib/tls.js, which does not normalize an internationalized hostname to ASCII before matching it against certificate names. An attacker presenting a certificate valid only for a single wildcard level, such as *.example.com, can pass host identity verification for a deeper subdomain by causing the client to connect to a hostname whose label separators are Unicode dots like the fullwidth , which DNS resolves into additional labels but the verifier counts as a single label. Exploitation depends on configurations that rely on wildcard certificates and on the client connecting using an internationalized hostname, where the resolver and the verifier normalize the dot separators inconsistently.

CVSS Base Scores

version 4.0
version 3.1