CVE-2026-21715

EUVD-2026-17178
A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.

As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.

This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.3 LOW
LOCAL
LOW
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
nodejs
bookworm
18.20.4+dfsg-1~deb12u1
fixed
bookworm (security)
18.20.4+dfsg-1~deb12u2
fixed
bullseye
12.22.12~dfsg-1~deb11u4
fixed
bullseye (security)
12.22.12~dfsg-1~deb11u7
fixed
forky
24.15.0+dfsg+~cs24.12.2-1
fixed
sid
24.15.0+dfsg+~cs24.12.2-1
fixed
trixie
vulnerable
trixie (security)
20.19.2+dfsg-1+deb13u2
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
nodejs20
suse enterprise server 15 SP5
20.20.2-150500.11.27.1
fixed
suse enterprise server 15 SP6
20.20.2-150600.3.18.1
fixed
nodejs20-devel
suse enterprise server 15 SP5
20.20.2-150500.11.27.1
fixed
suse enterprise server 15 SP6
20.20.2-150600.3.18.1
fixed
nodejs20-docs
suse enterprise server 15 SP5
20.20.2-150500.11.27.1
fixed
suse enterprise server 15 SP6
20.20.2-150600.3.18.1
fixed
nodejs22
suse enterprise sap 15 SP7
22.22.2-150700.3.9.1
fixed
suse enterprise server 15 SP6
22.22.2-150600.13.15.1
fixed
suse enterprise server 15 SP7
22.22.2-150700.3.9.1
fixed
nodejs22-devel
suse enterprise sap 15 SP7
22.22.2-150700.3.9.1
fixed
suse enterprise server 15 SP6
22.22.2-150600.13.15.1
fixed
suse enterprise server 15 SP7
22.22.2-150700.3.9.1
fixed
nodejs22-docs
suse enterprise sap 15 SP7
22.22.2-150700.3.9.1
fixed
suse enterprise server 15 SP6
22.22.2-150600.13.15.1
fixed
suse enterprise server 15 SP7
22.22.2-150700.3.9.1
fixed
nodejs24
suse enterprise sap 15 SP7
24.14.1-150700.15.8.1
fixed
suse enterprise server 15 SP7
24.14.1-150700.15.8.1
fixed
nodejs24-devel
suse enterprise sap 15 SP7
24.14.1-150700.15.8.1
fixed
suse enterprise server 15 SP7
24.14.1-150700.15.8.1
fixed
nodejs24-docs
suse enterprise sap 15 SP7
24.14.1-150700.15.8.1
fixed
suse enterprise server 15 SP7
24.14.1-150700.15.8.1
fixed
npm20
suse enterprise server 15 SP5
20.20.2-150500.11.27.1
fixed
suse enterprise server 15 SP6
20.20.2-150600.3.18.1
fixed
npm22
suse enterprise sap 15 SP7
22.22.2-150700.3.9.1
fixed
suse enterprise server 15 SP6
22.22.2-150600.13.15.1
fixed
suse enterprise server 15 SP7
22.22.2-150700.3.9.1
fixed
npm24
suse enterprise sap 15 SP7
24.14.1-150700.15.8.1
fixed
suse enterprise server 15 SP7
24.14.1-150700.15.8.1
fixed
Common Weakness Enumeration
References
https://nodejs.org/en/blog/vulnerability/march-2026-security-releases