Description
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.

As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.

This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.
Published: 2026-03-30
Score: 5.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized IPC Exposure
Action: Apply Patch
AI Analysis

Impact

A flaw in Node.js’s permission model network enforcement allows Unix Domain Socket server operations to bypass the required permission checks. When a process is run with the experimental --permission flag but without the --allow-net option, the application can create and expose local interprocess communication endpoints that are not subject to the intended network restrictions. This permits local processes to communicate through these sockets, potentially leaking sensitive data or executing code in the context of other local applications.

Affected Systems

Node.js version 25.x processes running with the Permission Model where --allow-net is intentionally omitted. The vulnerability applies only to processes started with the experimental --permission flag while network access remains disabled, affecting users who enforce outbound network restrictions in Node.js 25.x.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the vulnerability is not listed in the CISA KEV catalog. EPSS information is unavailable, so the likelihood of exploitation is uncertain. The likely attack vector is local: an attacker who can run code on the host machine must target a Node.js process configured with --permission and without --allow-net to create Unix Domain Socket endpoints, enabling communication with other local processes and potential data exfiltration or privilege escalation.

Generated by OpenCVE AI on March 30, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Node.js to a version that includes the fix for the permission model enforcement issue.
  • If an immediate upgrade is not possible, disable the experimental --permission flag or ensure --allow-net is set to prevent unauthorized IPC exposure.

Generated by OpenCVE AI on March 30, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Node.js Permission Model Bypasses Network Restrictions, Exposes Unix Domain Sockets Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks
First Time appeared Nodejs
Nodejs nodejs
Weaknesses CWE-940
Vendors & Products Nodejs
Nodejs nodejs
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Node.js Permission Model Bypasses Network Restrictions, Exposes Unix Domain Sockets
Weaknesses CWE-284

Mon, 30 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary. This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.
References
Metrics cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Nodejs Nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-04-01T15:03:21.612Z

Reserved: 2026-01-04T15:00:06.574Z

Link: CVE-2026-21711

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T20:16:19.260

Modified: 2026-04-01T16:23:48.813

Link: CVE-2026-21711

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-30T19:07:28Z

Links: CVE-2026-21711 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:40:23Z

Weaknesses