CVE Vulnerabilities

CVE-2026-48931

Time-of-check Time-of-use (TOCTOU) Race Condition

Published: Jun 22, 2026 | Modified: Jul 03, 2026
CVSS 3.x
3.7
LOW
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request.

This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26.

Weakness

The product checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check.

Affected Software

NameVendorStart VersionEnd Version
Node.jsNodejs22.22.3 (including)22.22.3 (including)
Node.jsNodejs24.16.0 (including)24.16.0 (including)
Node.jsNodejs26.3.0 (including)26.3.0 (including)
NodejsUbuntuquesting*

Potential Mitigations

References