CVE-2026-21636

high

Description

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. In the moment of this vulnerability, network permissions (--allow-net) are still in the experimental phase. Impact: Thank you, to mufeedvh for reporting this vulnerability and thank you RafaelGSS for fixing it.

References

https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Details

Source: Mitre, NVD

Published: 2026-01-13

Risk Information

CVSS v2

Base Score: 4.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

Detections

Analytics