Description
A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Published: 2026-06-18
Score: 1.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in Node.js Permission Model enforcement and allows attackers to bypass path validation in the process.report.writeReport API. This flaw can lead to the exposure of confidential data or the circumvention of intended security boundaries. The weakness is categorized as an improper access control issue (CWE-284).

Affected Systems

Affected systems include Node.js versions 22, 24, and 26, all of which are supported release lines of the nodejs:node product.

Risk and Exploitability

The CVSS score of 1.8 indicates low severity and the EPSS score is unavailable, suggesting a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. No publicly available exploits have been disclosed, and the attack likely requires an attacker with local or privileged code execution to invoke process.report.writeReport and craft a malicious path. The absence of public exploits and the limited scope of the impact reduce the overall risk, but the flaw still undermines access control guarantees.

Generated by OpenCVE AI on June 18, 2026 at 18:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the vendor patch for Node.js 22/24/26 released in the June 2026 security updates.
  • Disable or restrict application use of process.report.writeReport to prevent inadvertent path manipulation.
  • Verify that applications enforce proper file‑system access controls before invoking process.report.writeReport, and audit permission boundaries for unintended exposure.

Generated by OpenCVE AI on June 18, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Nodejs
Nodejs nodejs
Vendors & Products Nodejs
Nodejs nodejs

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Node.js Permission Model Bypass via process.report.writeReport Path Misvalidation

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
Weaknesses CWE-284
References
Metrics cvssV3_0

{'score': 1.8, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-18T18:34:10.166Z

Reserved: 2026-05-22T15:00:09.276Z

Link: CVE-2026-48617

cve-icon Vulnrichment

Updated: 2026-06-18T18:27:49.438Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:30:04Z

Weaknesses