{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21636", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-01T15:00:02.339Z", "datePublished": "2026-01-20T20:41:55.700Z", "dateUpdated": "2026-01-21T18:52:53.133Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.\n\n* The issue affects users of the Node.js permission model on version v25.\n\nIn the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "25.2.1", "status": "affected", "lessThanOrEqual": "25.2.1", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-01-20T20:41:55.700Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-21T18:38:13.137061Z", "id": "CVE-2026-21636", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T18:52:53.133Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21636", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-21T18:38:13.137061Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T18:40:15.504Z"}}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 5.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"}}], "affected": [{"vendor": "nodejs", "product": "node", "versions": [{"status": "affected", "version": "25.2.1", "versionType": "semver", "lessThanOrEqual": "25.2.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"}], "descriptions": [{"lang": "en", "value": "A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.\n\n* The issue affects users of the Node.js permission model on version v25.\n\nIn the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-01-20T20:41:55.700Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21636", "state": "PUBLISHED", "dateUpdated": "2026-01-21T18:52:53.133Z", "dateReserved": "2026-01-01T15:00:02.339Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-01-20T20:41:55.700Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "970EF154-D905-4FDA-85CB-C3AB08BEFAEC", "versionEndExcluding": "25.3.0", "versionStartIncluding": "25.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.\n\n* The issue affects users of the Node.js permission model on version v25.\n\nIn the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase."}], "id": "CVE-2026-21636", "lastModified": "2026-01-30T20:20:56.843", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "support@hackerone.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-20T21:16:05.813", "references": [{"source": "support@hackerone.com", "tags": ["Vendor Advisory", "Release Notes"], "url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "nodejs: Nodejs network segmentation bypass", "id": "2431342", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431342"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-281", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-21636", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "nodejs22", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "nodejs24", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-20T20:41:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21636\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21636\nhttps://nodejs.org/en/blog/vulnerability/december-2025-security-releases"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T04:44:40.404313+00:00", "value": {"mitigation_remediation": ["Upgrade Node.js to the latest version that includes the permission model fix", "Remove or disable the --permission flag until a patched version is available", "Validate and sanitize all URLs and socketPath inputs before using them in network or socket operations"], "summary": {"action": "Immediate Patch", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Node.js version 25 on any platform that uses the experimental permission model. Users of the nodejs:node product are affected.", "description_and_impact": "A flaw in Node.js\u2019s permission model allows Unix Domain Socket connections to bypass network restrictions when the --permission flag is enabled. Even without the --allow-net flag, attacker\u2011controlled inputs such as URLs or socketPath options can connect to arbitrary local sockets through the net, tls, or undici/fetch APIs. This violates the intended security boundary and lets an attacker access privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. The weakness involves improper access control (CWE\u2011284) and flawed permission handling (CWE\u2011281).", "risk_and_exploitability": "The CVSS score is 10.0, indicating maximum severity, while the EPSS score is below 1\u202f%, suggesting exploitation frequency is low at this time. The vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires a Node.js process run with the --permission flag, plus input from an attacker that can provide a malicious URL or socket path. The attacker can then establish connections to privileged Unix domain sockets, breach local isolation, and potentially gain local privilege escalation or execute code on the host. The experimental nature of network permissions means the attack surface is limited to environments that have enabled these features, but the impact remains severe once the flaw is present."}}}}, "created": "2026-01-21T11:18:49.861884+00:00", "updated": "2026-04-18T04:45:36.868228+00:00", "vendors": ["nodejs", "nodejs$PRODUCT$nodejs"]}