CVE-2026-21715

medium

Description

A flaw in Node.js Permission Model filesystem enforcement leaves fs.realpathSync.native() without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under --permission with restricted --allow-fs-read can still use fs.realpathSync.native() to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories. Thank you, to stif for reporting this vulnerability and thank you RafaelGSS for fixing it.

Details

Source: Mitre, NVD

Published: 2026-03-24

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N