Description
A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.

As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.

This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.
Published: 2026-03-30
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

A weakness in Node.js’ Permission Model causes the native realpath function to bypass read permission checks, enabling code running with the --permission flag and restricted --allow-fs-read to discover the existence of files, resolve symbolic links, and enumerate paths outside the permitted directories. The flaw can reveal sensitive directory structures and file names that should remain hidden, constituting an information disclosure vulnerability. The core weakness is a missing authentication check in filesystem access, which falls under the category of improper access control.

Affected Systems

The defect affects nodejs node versions 20.x, 22.x, 24.x, and 25.x when the Permission Model is enabled and the filesystem read permission flag is intentionally restricted. Any application running under these conditions can potentially probe for files beyond their safe area.

Risk and Exploitability

With a CVSS score of 3.3, the vulnerability is rated low severity. It can be exploited locally by any code that can run JavaScript within the restricted permission context. The attack does not require network access or administrative privileges; it merely requires the ability to execute code under the permission model. The impact is limited to revealing filesystem information and does not lead to code execution or denial of service. The vulnerability is not currently listed in the known-exploited-vulnerabilities catalog.

Generated by OpenCVE AI on March 30, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Node.js release from the March 2026 security update that fixes permission enforcement in fs.realpathSync.native
  • If an immediate upgrade is not possible, remove or replace uses of fs.realpathSync.native in application code with alternative checks that honor permission flags
  • Verify that --allow-fs-read is only granted to trusted code paths and monitor for unexpected filesystem access attempts

Generated by OpenCVE AI on March 30, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6183-1 nodejs security update
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-732

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Node.js Permission Model Allows Unauthorized File Path Discovery via fs.realpathSync.native Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions
First Time appeared Nodejs
Nodejs nodejs
Weaknesses CWE-425
Vendors & Products Nodejs
Nodejs nodejs
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Low

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Node.js Permission Model Allows Unauthorized File Path Discovery via fs.realpathSync.native
Weaknesses CWE-284

Mon, 30 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.
References
Metrics cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Nodejs Nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-04-01T15:02:10.706Z

Reserved: 2026-01-04T15:00:06.574Z

Link: CVE-2026-21715

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T20:16:19.703

Modified: 2026-04-01T16:23:48.967

Link: CVE-2026-21715

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-30T19:07:28Z

Links: CVE-2026-21715 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:40:24Z

Weaknesses