Description
A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.

* The issue affects users of the Node.js permission model on version v25.

In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase.
Published: 2026-01-20
Score: 10.0 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

A flaw in Node.js’s permission model allows Unix Domain Socket connections to bypass network restrictions when the --permission flag is enabled. Even without the --allow-net flag, attacker‑controlled inputs such as URLs or socketPath options can connect to arbitrary local sockets through the net, tls, or undici/fetch APIs. This violates the intended security boundary and lets an attacker access privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. The weakness involves improper access control (CWE‑284) and flawed permission handling (CWE‑281).

Affected Systems

Node.js version 25 on any platform that uses the experimental permission model. Users of the nodejs:node product are affected.

Risk and Exploitability

The CVSS score is 10.0, indicating maximum severity, while the EPSS score is below 1 %, suggesting exploitation frequency is low at this time. The vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires a Node.js process run with the --permission flag, plus input from an attacker that can provide a malicious URL or socket path. The attacker can then establish connections to privileged Unix domain sockets, breach local isolation, and potentially gain local privilege escalation or execute code on the host. The experimental nature of network permissions means the attack surface is limited to environments that have enabled these features, but the impact remains severe once the flaw is present.

Generated by OpenCVE AI on April 18, 2026 at 04:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Node.js to the latest version that includes the permission model fix
  • Remove or disable the --permission flag until a patched version is available
  • Validate and sanitize all URLs and socketPath inputs before using them in network or socket operations

Generated by OpenCVE AI on April 18, 2026 at 04:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs node.js
CPEs cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Vendors & Products Nodejs node.js
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

 cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Wed, 21 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
Title nodejs: Nodejs network segmentation bypass
Weaknesses CWE-281
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

threat_severity

Moderate

Wed, 21 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs nodejs
Vendors & Products Nodejs
Nodejs nodejs

Tue, 20 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
Description A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase.
References
Metrics cvssV3_0

{'score': 5.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Nodejs Node.js Nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-01-21T18:52:53.133Z

Reserved: 2026-01-01T15:00:02.339Z

Link: CVE-2026-21636

cve-icon Vulnrichment

Updated: 2026-01-21T18:40:15.504Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T21:16:05.813

Modified: 2026-01-30T20:20:56.843

Link: CVE-2026-21636

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-20T20:41:55Z

Links: CVE-2026-21636 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:45:36Z

Weaknesses