CRITICAL🇵🇱 Wersja polska

CVE-2026-21636

CVSS 10.0v3.1pub. 2026-01-20upd. 2026-01-30

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase.

🤖 AI Analysis
How it works

When Node.js is run with the `--permission` flag, the permission model should block unauthorized network connections. However, an attacker can supply controlled input data (e.g., a URL or `socketPath` option) that establishes connections to arbitrary local UDS sockets via the `net`, `tls`, or `undici`/`fetch` modules. The Unix Domain Socket mechanism is not covered by the access control enforced by `--allow-net`, resulting in a breach of the intended security boundary of the permission model. This allows communication with privileged local services accessible only through UDS.

Impact

An attacker can gain unauthorized access to privileged local services, which may result in privilege escalation, disclosure of sensitive data, or local code execution (RCE/LPE).

Mitigation & patch

Patches available from the vendor should be applied according to the references (https://nodejs.org/en/blog/vulnerability/december-2025-security-releases). Until updating, avoid passing untrusted input data as URLs or `socketPath` in applications running with the `--permission` flag, and restrict access to environments using Node.js v25.

Who is affected

Node.js version v25 with the permission model enabled (the `--permission` flag). Affects environments running on Unix/Linux systems that use Unix Domain Sockets.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Node.js

    APP
    Nodejs
    25.0.0 – 25.3.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCELPE
CWE
References

Related vulnerabilities

CVE-2026-48930CRITICAL9.8PL ✓ten sam produkt

Node.js TLS: błąd obsługi hostname z null-bajtem prowadzi do przekierowania authority

CVE-2025-55130CRITICAL9.1PL ✓ten sam produkt

Obejście modelu uprawnień w Node.js poprzez spreparowane symlinki

CVE-2024-3566CRITICAL9.8PL ✓ten sam produkt

Command injection w aplikacjach Windows korzystających z CreateProcess

CVE-2024-21896CRITICAL9.8PL ✓ten sam produkt

Path traversal w Permission Model Node.js przez monkey-patching Buffer

CVE-2023-39332CRITICAL9.8ten sam produkt

Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js envir...