Description
An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.

As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.

This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.
Published: 2026-03-30
Score: 3.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Permission Changes
Action: Update Node
AI Analysis

Impact

An incomplete fix for a previous issue left promise‑based file handle methods without required permission checks, while the callback equivalents were patched correctly. The flaw allows code running under Node’s permission model with the --allow‑fs‑write restriction to still modify file permissions and ownership on already‑opened file descriptors using FileHandle.chmod() or FileHandle.chown(). The omission enables an attacker or malicious code to bypass intended write restrictions, elevating privilege to change file metadata such as permissions or owner. The weakness maps to authority bypass, improper access control, and missing authorization.

Affected Systems

The vulnerability affects Node.js processes in the 20.x, 22.x, 24.x, and 25.x series when operating under the Permission Model that restricts file write access with --allow‑fs‑write. All installations of the nodejs:node product in those versions are impacted if they rely on the promises API for file‐permission manipulation.

Risk and Exploitability

The CVSS score of 3.3 indicates low overall severity, and the EPSS score below 1% suggests a relatively low likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers likely need code that can execute with restricted filesystem write permission but still has access to Node’s promise API; thus exploitation requires local code execution and awareness of the promise-based API. With the patch still pending for some distributions, the vulnerability persists until the fix is applied, but current evidence does not point to widespread public exploits.

Generated by OpenCVE AI on March 31, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Node.js releases that include the patch for the promises‑API permission check bug.

Generated by OpenCVE AI on March 31, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6183-1 nodejs security update
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Node.js Promises API Permission Checks Bypass Allows Unauthorized File Permission Changes nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.
First Time appeared Nodejs
Nodejs nodejs
Weaknesses CWE-269
CWE-284		 CWE-279
Vendors & Products Nodejs
Nodejs nodejs
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N'}

threat_severity

Low

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Node.js Promises API Permission Checks Bypass Allows Unauthorized File Permission Changes
Weaknesses CWE-269
CWE-284

Mon, 30 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.
References
Metrics cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Nodejs Nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-03-31T14:27:23.323Z

Reserved: 2026-01-04T15:00:06.575Z

Link: CVE-2026-21716

cve-icon Vulnrichment

Updated: 2026-03-31T14:27:19.730Z

cve-icon NVD

Status : Received

Published: 2026-03-30T20:16:19.873

Modified: 2026-03-31T15:16:11.863

Link: CVE-2026-21716

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-30T19:07:28Z

Links: CVE-2026-21716 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:40:23Z

Weaknesses