BIT-node-2026-21711

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/node/BIT-node-2026-21711.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-node-2026-21711
Aliases
Published
2026-04-06T07:58:30.648Z
Modified
2026-04-06T08:41:21.938223282Z
Summary
[none]
Details

A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.

As a result, code running under --permission without --allow-net can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.

This vulnerability affects Node.js 25.x processes using the Permission Model where --allow-net is intentionally omitted to restrict network access. Note that --allow-net is currently an experimental feature.

Database specific
{
    "severity": "Medium",
    "cpes": [
        "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*"
    ]
}
References

Affected packages

Bitnami / node

Package

Name
node
Purl
pkg:bitnami/node

Severity

  • 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
25.0.0
Fixed
25.8.2

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/node/BIT-node-2026-21711.json"