{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21716", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-04T15:00:06.575Z", "datePublished": "2026-03-30T19:07:28.538Z", "dateUpdated": "2026-03-31T14:27:23.323Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "20.20.1", "status": "affected", "lessThanOrEqual": "20.20.1", "versionType": "semver"}, {"version": "22.22.1", "status": "affected", "lessThanOrEqual": "22.22.1", "versionType": "semver"}, {"version": "24.14.0", "status": "affected", "lessThanOrEqual": "24.14.0", "versionType": "semver"}, {"version": "25.8.1", "status": "affected", "lessThanOrEqual": "25.8.1", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.3, "baseSeverity": "LOW"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.538Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-862", "lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T14:27:06.373734Z", "id": "CVE-2026-21716", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:27:23.323Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21716", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T14:27:06.373734Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:27:19.730Z"}}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "nodejs", "product": "node", "versions": [{"status": "affected", "version": "20.20.1", "versionType": "semver", "lessThanOrEqual": "20.20.1"}, {"status": "affected", "version": "22.22.1", "versionType": "semver", "lessThanOrEqual": "22.22.1"}, {"status": "affected", "version": "24.14.0", "versionType": "semver", "lessThanOrEqual": "24.14.0"}, {"status": "affected", "version": "25.8.1", "versionType": "semver", "lessThanOrEqual": "25.8.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "descriptions": [{"lang": "en", "value": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.538Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21716", "state": "PUBLISHED", "dateUpdated": "2026-03-31T14:27:23.323Z", "dateReserved": "2026-01-04T15:00:06.575Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-03-30T19:07:28.538Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted."}, {"lang": "es", "value": "Una soluci\u00f3n incompleta para CVE-2024-36137 deja `FileHandle.chmod()` y `FileHandle.chown()` en la API de promesas sin las comprobaciones de permisos requeridas, mientras que sus equivalentes basados en callbacks (`fs.fchmod()`, `fs.fchown()`) fueron parcheados correctamente.\n\nComo resultado, el c\u00f3digo que se ejecuta bajo `--permission` con `--allow-fs-write` restringido a\u00fan puede usar m\u00e9todos `FileHandle` basados en promesas para modificar los permisos y la propiedad de los archivos en descriptores de archivo ya abiertos, eludiendo las restricciones de escritura previstas.\n\nEsta vulnerabilidad afecta a los procesos 20.x, 22.x, 24.x y 25.x que utilizan el Modelo de Permisos donde `--allow-fs-write` est\u00e1 restringido intencionalmente."}], "id": "CVE-2026-21716", "lastModified": "2026-03-31T15:16:11.863", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-03-30T20:16:19.873", "references": [{"source": "support@hackerone.com", "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-30T20:50:34.533409+00:00", "value": {"mitigation_remediation": ["Update Node.js to the March\u202f2026 security release or later, which completes the permission model fix.", "Verify that the --allow\u2011fs\u2011write flag remains set to the intended restrictive value in all production deployments.", "Audit application code for the use of FileHandle.chmod() or FileHandle.chown() in promise form and replace or remove them if they are unnecessary.", "Enable logging or monitoring to detect unexpected permission or ownership changes performed by the Node.js process."], "summary": {"action": "Apply Patch", "impact": "Unauthorized File Permission Changes"}, "threat_synthesis": {"affected_systems": "All Node.js runtimes in the 20.x, 22.x, 24.x, and 25.x series that are deployed with the Permission Model and keep --allow-fs-write intentionally restricted. The flaw resides inside the core of Node.js, therefore the operating system has no influence on the affected versions.", "description_and_impact": "An incomplete fix for a previous Node.js flaw leaves promise\u2011based FileHandle.chmod() and FileHandle.chown() without proper permission checks, while the callback equivalents were patched. As a result, code that runs under the Permission Model with the --allow-fs-write flag turned off can still change file modes or owners on already\u2011open descriptors using promise functions. The vulnerability exposes a local privilege escalation path that allows a compromised or malicious script to alter security settings of files that should otherwise be protected by the runtime.", "risk_and_exploitability": "The CVSS score of 3.3 classifies the issue as low to moderate severity. Because no public exploits or catalog entries exist, the probability of attack is uncertain, although any code that can execute in the Node.js process can abuse the missing checks. Attackers rely on being able to run JavaScript within the process; there is no network\u2011exposed entry point identified."}}}}, "created": "2026-03-30T20:55:10.286051+00:00", "title": "Node.js Promises API Permission Checks Bypass Allows Unauthorized File Permission Changes", "updated": "2026-03-30T20:55:10.286083+00:00", "vendors": [], "weaknesses": ["CWE-284", "CWE-269"]}