Description
An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.

As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.

This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.
Published: 2026-03-30
Score: 3.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of file permissions and ownership via promise‑based FileHandle methods
Action: Apply Patch
AI Analysis

Impact

An incomplete fix for a prior Node.js flaw left promise‑based FileHandle.chmod() and FileHandle.chown() without required permission checks while their callback equivalents were patched. As a result, code that is intended to be restricted under the Permission Model—i.e., running with --permission and a limited --allow‑fs‑write flag—can still alter permissions and ownership on already‑opened file descriptors. The weakness allows a malicious or compromised application to subvert intended security controls, potentially exposing sensitive files to unauthorized modification. The issue is rooted in misapplied access‑control logic (CWE‑279, CWE‑862).

Affected Systems

Node.js releases 20.x, 22.x, 24.x, and 25.x run under the Permission Model with a restricted --allow‑fs‑write setting are affected. The vulnerability is specific to the promise‑based FileHandle API and does not impact the callback‑based fs.fchmod() or fs.fchown() functions, which were patched correctly. Users of these Node.js versions who rely on the Permission Model to enforce filesystem write limits are potentially exposed.

Risk and Exploitability

The CVSS score of 3.8 classifies the vulnerability as moderate, and the EPSS score of less than 1 % indicates a low likelihood of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog, suggesting it has not yet been widely exploited. The likely attack vector is local code running inside a Node.js process configured with the Permission Model; an attacker can craft or alter code that invokes the promise methods to modify file permissions or ownership despite the --allow‑fs‑write restriction. Detection would require monitoring for abnormal permission changes from confined Node.js workloads.

Generated by OpenCVE AI on April 1, 2026 at 05:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Node.js to a version where the credential‑check logic for promise‑based methods has been corrected (see the March 2026 security release notes).
  • If an upgrade is not immediately possible, avoid using FileHandle.promise.chmod() or FileHandle.promise.chown() in code that operates under the Permission Model; prefer the callback versions (fs.fchmod(), fs.fchown()).
  • Temporarily disable the --permission flag or remove the --allow‑fs‑write restriction for workloads that require permission‑changing capabilities, ensuring that only trusted code has such privileges.

Generated by OpenCVE AI on April 1, 2026 at 05:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6183-1 nodejs security update
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Node.js Promises API Permission Checks Bypass Allows Unauthorized File Permission Changes nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.
First Time appeared Nodejs
Nodejs nodejs
Weaknesses CWE-269
CWE-284		 CWE-279
Vendors & Products Nodejs
Nodejs nodejs
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N'}

threat_severity

Low

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Node.js Promises API Permission Checks Bypass Allows Unauthorized File Permission Changes
Weaknesses CWE-269
CWE-284

Mon, 30 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.
References
Metrics cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Nodejs Nodejs
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-03-31T14:27:23.323Z

Reserved: 2026-01-04T15:00:06.575Z

Link: CVE-2026-21716

cve-icon Vulnrichment

Updated: 2026-03-31T14:27:19.730Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T20:16:19.873

Modified: 2026-04-01T14:24:21.833

Link: CVE-2026-21716

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-30T19:07:28Z

Links: CVE-2026-21716 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:54:01Z

Weaknesses