Description
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.

As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.

This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.
Published: 2026-03-30
Score: 5.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized inter‑process communication via Unix Domain Sockets
Action: Apply Patch
AI Analysis

Impact

A flaw in Node.js’s experimental Permission Model leaves Unix Domain Socket server operations without required permission checks while other network paths enforce them correctly. As a result, a Node.js process running with the --permission flag but without the --allow-net flag can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.

Affected Systems

This vulnerability affects Node.js 25.x releases that enable the Permission Model and intentionally omit --allow-net, restricting network access. Processes that do not use the experimental Permission Model or that include --allow-net are not impacted.

Risk and Exploitability

The CVSS score of 5.2 indicates moderate severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, and based on the description it is inferred that exploitation requires a locally running Node.js process configured with --permission and without --allow-net, thus the attack surface is primarily local. No information indicates a remote exploitation vector.

Generated by OpenCVE AI on April 1, 2026 at 06:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Node.js release that includes the fix for missing Unix Domain Socket permission checks.
  • If an upgrade is not immediately feasible, disable the Permission Model for processes that do not need it, or include the --allow-net flag only when network access is explicitly required.
  • Review application code and system configuration to ensure no unnecessary UDS endpoints are created or exposed.
  • Monitor for unexpected IPC activity over Unix Domain Sockets to detect potential misuse.

Generated by OpenCVE AI on April 1, 2026 at 06:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Node.js Permission Model Bypasses Network Restrictions, Exposes Unix Domain Sockets Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks
First Time appeared Nodejs
Nodejs nodejs
Weaknesses CWE-940
Vendors & Products Nodejs
Nodejs nodejs
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Node.js Permission Model Bypasses Network Restrictions, Exposes Unix Domain Sockets
Weaknesses CWE-284

Mon, 30 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary. This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.
References
Metrics cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Nodejs Nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-04-01T15:03:21.612Z

Reserved: 2026-01-04T15:00:06.574Z

Link: CVE-2026-21711

cve-icon Vulnrichment

Updated: 2026-04-01T15:03:14.342Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T20:16:19.260

Modified: 2026-04-01T16:23:48.813

Link: CVE-2026-21711

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-30T19:07:28Z

Links: CVE-2026-21711 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:54:02Z

Weaknesses