{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21711", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-04T15:00:06.574Z", "datePublished": "2026-03-30T19:07:28.526Z", "dateUpdated": "2026-04-01T15:03:21.612Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.\r\n\r\nAs a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.\r\n\r\nThis vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "25.8.1", "status": "affected", "lessThanOrEqual": "25.8.1", "versionType": "semver"}, {"version": "4.0", "status": "affected", "lessThan": "4.*", "versionType": "semver"}, {"version": "5.0", "status": "affected", "lessThan": "5.*", "versionType": "semver"}, {"version": "6.0", "status": "affected", "lessThan": "6.*", "versionType": "semver"}, {"version": "7.0", "status": "affected", "lessThan": "7.*", "versionType": "semver"}, {"version": "8.0", "status": "affected", "lessThan": "8.*", "versionType": "semver"}, {"version": "9.0", "status": "affected", "lessThan": "9.*", "versionType": "semver"}, {"version": "10.0", "status": "affected", "lessThan": "10.*", "versionType": "semver"}, {"version": "11.0", "status": "affected", "lessThan": "11.*", "versionType": "semver"}, {"version": "12.0", "status": "affected", "lessThan": "12.*", "versionType": "semver"}, {"version": "13.0", "status": "affected", "lessThan": "13.*", "versionType": "semver"}, {"version": "14.0", "status": "affected", "lessThan": "14.*", "versionType": "semver"}, {"version": "15.0", "status": "affected", "lessThan": "15.*", "versionType": "semver"}, {"version": "16.0", "status": "affected", "lessThan": "16.*", "versionType": "semver"}, {"version": "17.0", "status": "affected", "lessThan": "17.*", "versionType": "semver"}, {"version": "18.0", "status": "affected", "lessThan": "18.*", "versionType": "semver"}, {"version": "19.0", "status": "affected", "lessThan": "19.*", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.526Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T15:02:57.115426Z", "id": "CVE-2026-21711", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:03:21.612Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.\r\n\r\nAs a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.\r\n\r\nThis vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature."}, {"lang": "es", "value": "Un fallo en la aplicaci\u00f3n de red del Modelo de Permisos de Node.js deja las operaciones del servidor de Sockets de Dominio Unix (UDS) sin las comprobaciones de permisos requeridas, mientras que todas las rutas de red comparables las aplican correctamente.\n\nComo resultado, el c\u00f3digo que se ejecuta bajo --permission sin --allow-net puede crear y exponer puntos finales IPC locales, permitiendo la comunicaci\u00f3n con otros procesos en el mismo host fuera del l\u00edmite de restricci\u00f3n de red previsto.\n\nEsta vulnerabilidad afecta a los procesos de Node.js 25.x que utilizan el Modelo de Permisos donde se omite intencionadamente --allow-net para restringir el acceso a la red. Tenga en cuenta que --allow-net es actualmente una caracter\u00edstica experimental."}], "id": "CVE-2026-21711", "lastModified": "2026-04-01T16:23:48.813", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-03-30T20:16:19.260", "references": [{"source": "support@hackerone.com", "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks", "id": "2453158", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453158"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-940", "details": ["A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.\nAs a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.\nThis vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.", "A flaw was found in Node.js. The Node.js Permission Model, designed to restrict network access, incorrectly omits permission checks for Unix Domain Socket (UDS) server operations. This allows local code, even when explicitly denied network access, to create and expose inter-process communication (IPC) endpoints. As a result, unauthorized communication can occur between processes on the same host, bypassing the intended network security restrictions."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-21711", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "nodejs22", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "nodejs24", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-30T19:07:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21711\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21711\nhttps://nodejs.org/en/blog/vulnerability/march-2026-security-releases"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[25.8.1,25.8.1]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,5.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,6.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,7.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,8.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,9.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,10.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.0.0,11.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0,12.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[12.0.0,13.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[13.0.0,14.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[14.0.0,15.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[15.0.0,16.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[16.0.0,17.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[17.0.0,18.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[18.0.0,19.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[19.0.0,20.0.0)"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "node", "source": "cna", "vendor": "nodejs"}, "product": "nodejs", "vendor": "nodejs"}], "analysis": {"en": {"generated_at": "2026-03-30T20:50:44.378402+00:00", "value": {"mitigation_remediation": ["Update Node.js to a version that includes the fix for the permission model enforcement issue.", "If an immediate upgrade is not possible, disable the experimental --permission flag or ensure --allow-net is set to prevent unauthorized IPC exposure."], "summary": {"action": "Apply Patch", "impact": "Unauthorized IPC Exposure"}, "threat_synthesis": {"affected_systems": "Node.js version 25.x processes running with the Permission Model where --allow-net is intentionally omitted. The vulnerability applies only to processes started with the experimental --permission flag while network access remains disabled, affecting users who enforce outbound network restrictions in Node.js 25.x.", "description_and_impact": "A flaw in Node.js\u2019s permission model network enforcement allows Unix Domain Socket server operations to bypass the required permission checks. When a process is run with the experimental --permission flag but without the --allow-net option, the application can create and expose local interprocess communication endpoints that are not subject to the intended network restrictions. This permits local processes to communicate through these sockets, potentially leaking sensitive data or executing code in the context of other local applications.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the vulnerability is not listed in the CISA KEV catalog. EPSS information is unavailable, so the likelihood of exploitation is uncertain. The likely attack vector is local: an attacker who can run code on the host machine must target a Node.js process configured with --permission and without --allow-net to create Unix Domain Socket endpoints, enabling communication with other local processes and potential data exfiltration or privilege escalation."}}}}, "created": "2026-03-30T20:55:11.210623+00:00", "title": "Node.js Permission Model Bypasses Network Restrictions, Exposes Unix Domain Sockets", "updated": "2026-03-31T20:40:23.984804+00:00", "vendors": ["nodejs", "nodejs$PRODUCT$nodejs"], "weaknesses": ["CWE-284"]}