CVE-2026-21636

20.01.2026, 21:16

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.

* The issue affects users of the Node.js permission model on version v25.

In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.8 MEDIUM	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
hackerone	CNA	5.8 MEDIUM				CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

nodejs

bullseye	12.22.12~dfsg-1~deb11u4 fixed
bullseye (security)	12.22.12~dfsg-1~deb11u7 fixed
bookworm	18.20.4+dfsg-1~deb12u1 fixed
bookworm (security)	18.20.4+dfsg-1~deb12u1 fixed
trixie	20.19.2+dfsg-1 fixed
forky	22.22.0+dfsg+~cs22.19.6-1 fixed
sid	22.22.0+dfsg+~cs22.19.6-1 fixed

References

https://nodejs.org/en/blog/vulnerability/december-2025-security-releases