A flaw in the Node.js Permission API allows to spin up a new server via a Unix domain socket even when the application is run without the --allow-net permission. This exposes a local service that can be accessed by other processes on the same host, potentially enabling further abuse or data exfiltration if the service processes sensitive input.

Node.js 26, the actively supported release line for the Node.js runtime. Any installation of this version that relies on the Permission API and runs with restricted network permissions may be vulnerable.

The CVSS score of 3.3 classifies the vulnerability as low severity. Exploit probability data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, indicating limited known exploitation. The likely attack vector is local; an attacker must already have some level of host access to trigger the flaw. While the risk of widespread impact is low, the presence of a local unauthorized service can still be leveraged for privilege escalation or lateral movement within the host environment.