CVE-2026-21711 PUBLISHED

Assigner: hackerone
Reserved: 04.01.2026 Published: 30.03.2026 Updated: 30.03.2026

A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.

As a result, code running under --permission without --allow-net can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.

This vulnerability affects Node.js 25.x processes using the Permission Model where --allow-net is intentionally omitted to restrict network access. Note that --allow-net is currently an experimental feature.

Metrics

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVSS Score: 5.3

Product Status

Vendor nodejs
Product node
Versions Default: unaffected
  • affected from 25.8.1 to 25.8.1 (incl.)
  • affected from 4.0 to 4.* (excl.)
  • affected from 5.0 to 5.* (excl.)
  • affected from 6.0 to 6.* (excl.)
  • affected from 7.0 to 7.* (excl.)
  • affected from 8.0 to 8.* (excl.)
  • affected from 9.0 to 9.* (excl.)
  • affected from 10.0 to 10.* (excl.)
  • affected from 11.0 to 11.* (excl.)
  • affected from 12.0 to 12.* (excl.)
  • affected from 13.0 to 13.* (excl.)
  • affected from 14.0 to 14.* (excl.)
  • affected from 15.0 to 15.* (excl.)
  • affected from 16.0 to 16.* (excl.)
  • affected from 17.0 to 17.* (excl.)
  • affected from 18.0 to 18.* (excl.)
  • affected from 19.0 to 19.* (excl.)

References