The Nul-Byte That Rebinds Authority
CVE-2026-48930 exploits a fundamental impedance mismatch between JavaScript strings and C strings. JavaScript strings can contain nul bytes (\x00). C strings terminate at nul bytes. When Node.js passes a hostname containing a nul byte to its native TLS resolver bindings, the C layer truncates at the nul — resolving a different hostname than the JavaScript layer validated.
An attacker-controlled hostname like evil.com\x00.legitimate.com passes JavaScript's hostname validation (it matches legitimate.com's certificate pattern) but resolves to evil.com at the C level. Silent authority rebinding. The TLS certificate validates against one domain while the connection routes to another.
The 4.2-Point Severity Dispute
NVD scores this vulnerability CVSS 9.8 — critical, network-exploitable, no authentication required. HackerOne scores it 5.6 — medium severity. The same vulnerability, the same technical details, a 4.2-point gap. This isn't a rounding disagreement. It's a fundamental divergence in how two authoritative sources assess the same risk.
For security teams, the question is immediate: do you treat this as critical and patch within 48 hours, or as medium and schedule it for next sprint? CISA's BOD 26-04 requires patching known-exploited critical vulnerabilities within three days. If NVD is right, the clock is ticking. If HackerOne is right, it's a routine update. The scoring system that's supposed to prioritize your response is giving contradictory signals.
Every Node Framework Inherits This
Node.js 22, 24, and 26 are all affected — every active LTS and current line. Next.js, Nuxt, Remix, Astro, SvelteKit, Express, Fastify — every framework built on Node inherits this TLS vulnerability. The June 17 security release patched different CVEs in the same runtime. Two weeks later, another critical TLS flaw. The runtime that 95% of modern JavaScript frameworks depend on is producing critical security patches faster than most organizations can deploy them.
Patch Now, Regardless of the Score
Update all Node.js installations to the latest security release. Don't wait for NVD and HackerOne to agree — a TLS hostname bypass that enables authority rebinding is dangerous at any CVSS score. Audit any application that accepts external hostnames for TLS connections. The nul-byte class of vulnerability has been known since the 2000s. That it's still appearing in 2026 in the web's most widely used runtime is the real finding.
