BIT-node-min-2026-21711

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/node-min/BIT-node-min-2026-21711.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-node-min-2026-21711

Aliases

BIT-node-2026-21711
CVE-2026-21711

Published

2026-04-06T07:58:44.713Z

Modified

2026-04-06T08:41:21.938223282Z

Summary

[none]

Details

A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.

As a result, code running under --permission without --allow-net can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.

This vulnerability affects Node.js 25.x processes using the Permission Model where --allow-net is intentionally omitted to restrict network access. Note that --allow-net is currently an experimental feature.

Database specific

{
    "severity": "Medium",
    "cpes": [
        "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*"
    ]
}

References

Affected packages

Bitnami / node-min

Package

Name: node-min
Purl: pkg:bitnami/node-min

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

25.0.0

Fixed

25.8.2

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/node-min/BIT-node-min-2026-21711.json"