On 6/19/26 10:33, Solar Designer wrote:
## HTTP Response Queue Poisoning via TOCTOU Race Condition in `http.Agent`
(CVE-2026-48931) - (low)
A flaw in Node.js HTTP Agent can cause a client to accept as valid a response
that is send before the client has sent the request.
This vulnerability affects all supported release lines: **Node.js 22**,
**Node.js 24**, and **Node.js 26**.
Thank you, to yushengchen for reporting this vulnerability and thank you Matteo
Collina for fixing it.
Matteo Collina has posted a blog about things learned about this fix since the
security releases were published. It begins:
I reported and fixed the HTTP/1.1 response queue poisoning issue in
Node.js http.Agent that became CVE-2026-48931, and the Node.js team
reviewed it and shipped it through the security process. Looking back,
two things about that were mistakes, and one of them broke a lot of
people's deploys. This post is me owning the parts that were mine.
The short version:
1. The underlying behavior is real and worth hardening against. The guard
I added is good defense in depth and should stay.
2. Treating it as a vulnerability and pushing it onto the security-release
track was the wrong instrument for the problem. This is something HTTP/1.1
does by design, not a bug specific to http.Agent.
3. The fix I wrote carried a publicly observable side effect that made
node-fetch@2 emit false ERR_STREAM_PREMATURE_CLOSE errors, which cascaded
into Google API auth, Firebase, Backstage, and the official Docker images.
That one is squarely on me.
https://adventures.nodeland.dev/archive/cve-2026-48931-shouldnt-have-been-a-cve/
goes into much further detail.
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris