CVE-2026-21636

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-21636
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21636.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-21636
Aliases
Downstream
Related
Published
2026-01-20T21:16:05.813Z
Modified
2026-03-13T03:56:32.386520Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.

  • The issue affects users of the Node.js permission model on version v25.

In the moment of this vulnerability, network permissions (--allow-net) are still in the experimental phase.

References

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type
GIT
Repo
https://github.com/nodejs/node
Events
Introduced
0b3a10d4c8ba5e15429287e725d22615be896e95
Fixed
00d6cd83927d6d5c8fe9d0cdd101daa6df4b1a15
Database specific 
{
    "versions": [
        {
            "introduced": "25.0.0"
        },
        {
            "fixed": "25.3.0"
        }
    ]
}

Affected versions

v25.*
v25.0.0
v25.1.0
v25.2.0
v25.2.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21636.json"