{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21711", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-04T15:00:06.574Z", "datePublished": "2026-03-30T19:07:28.526Z", "dateUpdated": "2026-03-30T19:07:28.526Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.\r\n\r\nAs a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.\r\n\r\nThis vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "25.8.1", "status": "affected", "lessThanOrEqual": "25.8.1", "versionType": "semver"}, {"version": "4.0", "status": "affected", "lessThan": "4.*", "versionType": "semver"}, {"version": "5.0", "status": "affected", "lessThan": "5.*", "versionType": "semver"}, {"version": "6.0", "status": "affected", "lessThan": "6.*", "versionType": "semver"}, {"version": "7.0", "status": "affected", "lessThan": "7.*", "versionType": "semver"}, {"version": "8.0", "status": "affected", "lessThan": "8.*", "versionType": "semver"}, {"version": "9.0", "status": "affected", "lessThan": "9.*", "versionType": "semver"}, {"version": "10.0", "status": "affected", "lessThan": "10.*", "versionType": "semver"}, {"version": "11.0", "status": "affected", "lessThan": "11.*", "versionType": "semver"}, {"version": "12.0", "status": "affected", "lessThan": "12.*", "versionType": "semver"}, {"version": "13.0", "status": "affected", "lessThan": "13.*", "versionType": "semver"}, {"version": "14.0", "status": "affected", "lessThan": "14.*", "versionType": "semver"}, {"version": "15.0", "status": "affected", "lessThan": "15.*", "versionType": "semver"}, {"version": "16.0", "status": "affected", "lessThan": "16.*", "versionType": "semver"}, {"version": "17.0", "status": "affected", "lessThan": "17.*", "versionType": "semver"}, {"version": "18.0", "status": "affected", "lessThan": "18.*", "versionType": "semver"}, {"version": "19.0", "status": "affected", "lessThan": "19.*", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.526Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.\r\n\r\nAs a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.\r\n\r\nThis vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature."}], "id": "CVE-2026-21711", "lastModified": "2026-03-30T20:16:19.260", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-03-30T20:16:19.260", "references": [{"source": "support@hackerone.com", "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-30T20:50:44.378402+00:00", "value": {"mitigation_remediation": ["Update Node.js to a version that includes the fix for the permission model enforcement issue.", "If an immediate upgrade is not possible, disable the experimental --permission flag or ensure --allow-net is set to prevent unauthorized IPC exposure."], "summary": {"action": "Apply Patch", "impact": "Unauthorized IPC Exposure"}, "threat_synthesis": {"affected_systems": "Node.js version 25.x processes running with the Permission Model where --allow-net is intentionally omitted. The vulnerability applies only to processes started with the experimental --permission flag while network access remains disabled, affecting users who enforce outbound network restrictions in Node.js 25.x.", "description_and_impact": "A flaw in Node.js\u2019s permission model network enforcement allows Unix Domain Socket server operations to bypass the required permission checks. When a process is run with the experimental --permission flag but without the --allow-net option, the application can create and expose local interprocess communication endpoints that are not subject to the intended network restrictions. This permits local processes to communicate through these sockets, potentially leaking sensitive data or executing code in the context of other local applications.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the vulnerability is not listed in the CISA KEV catalog. EPSS information is unavailable, so the likelihood of exploitation is uncertain. The likely attack vector is local: an attacker who can run code on the host machine must target a Node.js process configured with --permission and without --allow-net to create Unix Domain Socket endpoints, enabling communication with other local processes and potential data exfiltration or privilege escalation."}}}}, "created": "2026-03-30T20:55:11.210623+00:00", "title": "Node.js Permission Model Bypasses Network Restrictions, Exposes Unix Domain Sockets", "updated": "2026-03-30T20:55:11.210668+00:00", "vendors": [], "weaknesses": ["CWE-284"]}