Description
A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.

As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.

This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.
Published: 2026-03-30
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

Node.js enforces a Permission Model that restricts file system access to processes running with the --allow-fs-read flag. However, the realpathSync.native() method is exempt from the required read permission checks, allowing local code running under restricted file system reads to verify the existence of files, resolve symlinks, and traverse paths outside the permitted directories. This flaw can reveal the structure of the file system, sensitive file names, and other details that should remain hidden, resulting in information disclosure.

Affected Systems

The vulnerability affects Node.js versions 20.x, 22.x, 24.x, and 25.x when the Permission Model is enabled and --allow-fs-read is intentionally disabled. All processes running under these configurations that invoke fs.realpathSync.native() are susceptible.

Risk and Exploitability

The CVSS score of 3.3 indicates a low overall severity, and the EPSS score of less than 1% suggests that exploitation is unlikely at this time. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires code execution within a Node.js process that has been restricted by the Permission Model, implying an attacker would need local access to inject or run malicious JavaScript. The attack vector is inferred to be local, as the flaw does not expose a network-facing entry point.

Generated by OpenCVE AI on April 2, 2026 at 21:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Node.js to the latest patch release for 20.x, 22.x, 24.x, and 25.x that addresses the fs.realpathSync.native() permission check issue.
  • Verify that the --allow-fs-read flag is correctly configured for all processes that run with the Permission Model.
  • If immediate patching is not feasible, avoid calling fs.realpathSync.native() from untrusted or external code to prevent information disclosure.
  • Monitor application behavior and logs for attempts to resolve paths outside of intended directories, and consider applying additional application-layer controls to restrict filesystem enumeration.

Generated by OpenCVE AI on April 2, 2026 at 21:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6183-1 nodejs security update
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-732

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Node.js Permission Model Allows Unauthorized File Path Discovery via fs.realpathSync.native Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions
First Time appeared Nodejs
Nodejs nodejs
Weaknesses CWE-425
Vendors & Products Nodejs
Nodejs nodejs
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Low

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Node.js Permission Model Allows Unauthorized File Path Discovery via fs.realpathSync.native
Weaknesses CWE-284

Mon, 30 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.
References
Metrics cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Nodejs Nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-04-01T15:02:10.706Z

Reserved: 2026-01-04T15:00:06.574Z

Link: CVE-2026-21715

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T20:16:19.703

Modified: 2026-04-01T16:23:48.967

Link: CVE-2026-21715

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-30T19:07:28Z

Links: CVE-2026-21715 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:06Z

Weaknesses