A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the --allow-net permission.
This vulnerability affects one supported release line: Node.js 26.
{
"cpes": [
"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*"
],
"severity": "Low"
}