CVE-2026-21636

Critical CVSS: 10.0

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.

* The issue affects users of the Node.js permission model on version v25.

In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase.

Vendor

Nodejs

Product

Node.js

CWE

CWE-284

Yayın Tarihi

2026-01-20 21:16:05

Güncelleme

2026-01-30 20:20:56

Source Identifier

support@hackerone.com

KEV Date Added

Kategoriler

CWE-284 Node.js CRITICAL Nodejs 2026

Referanslar

https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Benzer Kayıtlar

Medium

CVE-2026-1527

ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject…

High

CVE-2026-1528

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's Byt…

High

CVE-2026-2229

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_m…

Medium

CVE-2026-2581

This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulne…

High

CVE-2026-1526

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessa…

Medium

CVE-2026-1525

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Co…