CVE-2026-21715 PUBLISHED

Assigner: hackerone
Reserved: 04.01.2026 Published: 30.03.2026 Updated: 30.03.2026

A flaw in Node.js Permission Model filesystem enforcement leaves fs.realpathSync.native() without the required read permission checks, while all comparable filesystem functions correctly enforce them.

As a result, code running under --permission with restricted --allow-fs-read can still use fs.realpathSync.native() to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.

This vulnerability affects 20.x, 22.x, 24.x, and 25.x processes using the Permission Model where --allow-fs-read is intentionally restricted.

Metrics

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 3.3

Product Status

Vendor nodejs
Product node
Versions Default: unaffected
  • affected from 20.20.1 to 20.20.1 (incl.)
  • affected from 22.22.1 to 22.22.1 (incl.)
  • affected from 24.14.0 to 24.14.0 (incl.)
  • affected from 25.8.1 to 25.8.1 (incl.)
  • affected from 4.0 to 4.* (excl.)
  • affected from 5.0 to 5.* (excl.)
  • affected from 6.0 to 6.* (excl.)
  • affected from 7.0 to 7.* (excl.)
  • affected from 8.0 to 8.* (excl.)
  • affected from 9.0 to 9.* (excl.)
  • affected from 10.0 to 10.* (excl.)
  • affected from 11.0 to 11.* (excl.)
  • affected from 12.0 to 12.* (excl.)
  • affected from 13.0 to 13.* (excl.)
  • affected from 14.0 to 14.* (excl.)
  • affected from 15.0 to 15.* (excl.)
  • affected from 16.0 to 16.* (excl.)
  • affected from 17.0 to 17.* (excl.)
  • affected from 18.0 to 18.* (excl.)
  • affected from 19.0 to 19.* (excl.)

References