{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21715", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-04T15:00:06.574Z", "datePublished": "2026-03-30T19:07:28.507Z", "dateUpdated": "2026-03-30T19:07:28.507Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "20.20.1", "status": "affected", "lessThanOrEqual": "20.20.1", "versionType": "semver"}, {"version": "22.22.1", "status": "affected", "lessThanOrEqual": "22.22.1", "versionType": "semver"}, {"version": "24.14.0", "status": "affected", "lessThanOrEqual": "24.14.0", "versionType": "semver"}, {"version": "25.8.1", "status": "affected", "lessThanOrEqual": "25.8.1", "versionType": "semver"}, {"version": "4.0", "status": "affected", "lessThan": "4.*", "versionType": "semver"}, {"version": "5.0", "status": "affected", "lessThan": "5.*", "versionType": "semver"}, {"version": "6.0", "status": "affected", "lessThan": "6.*", "versionType": "semver"}, {"version": "7.0", "status": "affected", "lessThan": "7.*", "versionType": "semver"}, {"version": "8.0", "status": "affected", "lessThan": "8.*", "versionType": "semver"}, {"version": "9.0", "status": "affected", "lessThan": "9.*", "versionType": "semver"}, {"version": "10.0", "status": "affected", "lessThan": "10.*", "versionType": "semver"}, {"version": "11.0", "status": "affected", "lessThan": "11.*", "versionType": "semver"}, {"version": "12.0", "status": "affected", "lessThan": "12.*", "versionType": "semver"}, {"version": "13.0", "status": "affected", "lessThan": "13.*", "versionType": "semver"}, {"version": "14.0", "status": "affected", "lessThan": "14.*", "versionType": "semver"}, {"version": "15.0", "status": "affected", "lessThan": "15.*", "versionType": "semver"}, {"version": "16.0", "status": "affected", "lessThan": "16.*", "versionType": "semver"}, {"version": "17.0", "status": "affected", "lessThan": "17.*", "versionType": "semver"}, {"version": "18.0", "status": "affected", "lessThan": "18.*", "versionType": "semver"}, {"version": "19.0", "status": "affected", "lessThan": "19.*", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.3, "baseSeverity": "LOW"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.507Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted."}], "id": "CVE-2026-21715", "lastModified": "2026-03-30T20:16:19.703", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-03-30T20:16:19.703", "references": [{"source": "support@hackerone.com", "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-30T20:51:12.324447+00:00", "value": {"mitigation_remediation": ["Apply the latest Node.js release from the March\u202f2026 security update that fixes permission enforcement in fs.realpathSync.native", "If an immediate upgrade is not possible, remove or replace uses of fs.realpathSync.native in application code with alternative checks that honor permission flags", "Verify that --allow-fs-read is only granted to trusted code paths and monitor for unexpected filesystem access attempts"], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The defect affects nodejs node versions 20.x, 22.x, 24.x, and 25.x when the Permission Model is enabled and the filesystem read permission flag is intentionally restricted. Any application running under these conditions can potentially probe for files beyond their safe area.", "description_and_impact": "A weakness in Node.js\u2019 Permission Model causes the native realpath function to bypass read permission checks, enabling code running with the --permission flag and restricted --allow-fs-read to discover the existence of files, resolve symbolic links, and enumerate paths outside the permitted directories. The flaw can reveal sensitive directory structures and file names that should remain hidden, constituting an information disclosure vulnerability. The core weakness is a missing authentication check in filesystem access, which falls under the category of improper access control.", "risk_and_exploitability": "With a CVSS score of 3.3, the vulnerability is rated low severity. It can be exploited locally by any code that can run JavaScript within the restricted permission context. The attack does not require network access or administrative privileges; it merely requires the ability to execute code under the permission model. The impact is limited to revealing filesystem information and does not lead to code execution or denial of service. The vulnerability is not currently listed in the known-exploited-vulnerabilities catalog."}}}}, "created": "2026-03-30T20:55:12.132860+00:00", "title": "Node.js Permission Model Allows Unauthorized File Path Discovery via fs.realpathSync.native", "updated": "2026-03-30T20:55:12.132903+00:00", "vendors": [], "weaknesses": ["CWE-284"]}