Impact
The vulnerability lies in Node.js Permission Model enforcement and allows attackers to bypass path validation in the process.report.writeReport API. This flaw can lead to the exposure of confidential data or the circumvention of intended security boundaries. The weakness is categorized as an improper access control issue (CWE-284).
Affected Systems
Affected systems include Node.js versions 22, 24, and 26, all of which are supported release lines of the nodejs:node product.
Risk and Exploitability
The CVSS score of 1.8 indicates low severity and the EPSS score is unavailable, suggesting a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. No publicly available exploits have been disclosed, and the attack likely requires an attacker with local or privileged code execution to invoke process.report.writeReport and craft a malicious path. The absence of public exploits and the limited scope of the impact reduce the overall risk, but the flaw still undermines access control guarantees.
OpenCVE Enrichment