{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21711", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-04T15:00:06.574Z", "datePublished": "2026-03-30T19:07:28.526Z", "dateUpdated": "2026-04-01T15:03:21.612Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.\r\n\r\nAs a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.\r\n\r\nThis vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "25.8.1", "status": "affected", "lessThanOrEqual": "25.8.1", "versionType": "semver"}, {"version": "4.0", "status": "affected", "lessThan": "4.*", "versionType": "semver"}, {"version": "5.0", "status": "affected", "lessThan": "5.*", "versionType": "semver"}, {"version": "6.0", "status": "affected", "lessThan": "6.*", "versionType": "semver"}, {"version": "7.0", "status": "affected", "lessThan": "7.*", "versionType": "semver"}, {"version": "8.0", "status": "affected", "lessThan": "8.*", "versionType": "semver"}, {"version": "9.0", "status": "affected", "lessThan": "9.*", "versionType": "semver"}, {"version": "10.0", "status": "affected", "lessThan": "10.*", "versionType": "semver"}, {"version": "11.0", "status": "affected", "lessThan": "11.*", "versionType": "semver"}, {"version": "12.0", "status": "affected", "lessThan": "12.*", "versionType": "semver"}, {"version": "13.0", "status": "affected", "lessThan": "13.*", "versionType": "semver"}, {"version": "14.0", "status": "affected", "lessThan": "14.*", "versionType": "semver"}, {"version": "15.0", "status": "affected", "lessThan": "15.*", "versionType": "semver"}, {"version": "16.0", "status": "affected", "lessThan": "16.*", "versionType": "semver"}, {"version": "17.0", "status": "affected", "lessThan": "17.*", "versionType": "semver"}, {"version": "18.0", "status": "affected", "lessThan": "18.*", "versionType": "semver"}, {"version": "19.0", "status": "affected", "lessThan": "19.*", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.526Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T15:02:57.115426Z", "id": "CVE-2026-21711", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:03:21.612Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21711", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T15:02:57.115426Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:03:14.342Z"}}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}}], "affected": [{"vendor": "nodejs", "product": "node", "versions": [{"status": "affected", "version": "25.8.1", "versionType": "semver", "lessThanOrEqual": "25.8.1"}, {"status": "affected", "version": "4.0", "lessThan": "4.*", "versionType": "semver"}, {"status": "affected", "version": "5.0", "lessThan": "5.*", "versionType": "semver"}, {"status": "affected", "version": "6.0", "lessThan": "6.*", "versionType": "semver"}, {"status": "affected", "version": "7.0", "lessThan": "7.*", "versionType": "semver"}, {"status": "affected", "version": "8.0", "lessThan": "8.*", "versionType": "semver"}, {"status": "affected", "version": "9.0", "lessThan": "9.*", "versionType": "semver"}, {"status": "affected", "version": "10.0", "lessThan": "10.*", "versionType": "semver"}, {"status": "affected", "version": "11.0", "lessThan": "11.*", "versionType": "semver"}, {"status": "affected", "version": "12.0", "lessThan": "12.*", "versionType": "semver"}, {"status": "affected", "version": "13.0", "lessThan": "13.*", "versionType": "semver"}, {"status": "affected", "version": "14.0", "lessThan": "14.*", "versionType": "semver"}, {"status": "affected", "version": "15.0", "lessThan": "15.*", "versionType": "semver"}, {"status": "affected", "version": "16.0", "lessThan": "16.*", "versionType": "semver"}, {"status": "affected", "version": "17.0", "lessThan": "17.*", "versionType": "semver"}, {"status": "affected", "version": "18.0", "lessThan": "18.*", "versionType": "semver"}, {"status": "affected", "version": "19.0", "lessThan": "19.*", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "descriptions": [{"lang": "en", "value": "A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.\r\n\r\nAs a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.\r\n\r\nThis vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.526Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21711", "state": "PUBLISHED", "dateUpdated": "2026-04-01T15:03:21.612Z", "dateReserved": "2026-01-04T15:00:06.574Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-03-30T19:07:28.526Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.\r\n\r\nAs a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.\r\n\r\nThis vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature."}, {"lang": "es", "value": "Un fallo en la aplicaci\u00f3n de red del Modelo de Permisos de Node.js deja las operaciones del servidor de Sockets de Dominio Unix (UDS) sin las comprobaciones de permisos requeridas, mientras que todas las rutas de red comparables las aplican correctamente.\n\nComo resultado, el c\u00f3digo que se ejecuta bajo --permission sin --allow-net puede crear y exponer puntos finales IPC locales, permitiendo la comunicaci\u00f3n con otros procesos en el mismo host fuera del l\u00edmite de restricci\u00f3n de red previsto.\n\nEsta vulnerabilidad afecta a los procesos de Node.js 25.x que utilizan el Modelo de Permisos donde se omite intencionadamente --allow-net para restringir el acceso a la red. Tenga en cuenta que --allow-net es actualmente una caracter\u00edstica experimental."}], "id": "CVE-2026-21711", "lastModified": "2026-04-01T16:23:48.813", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-03-30T20:16:19.260", "references": [{"source": "support@hackerone.com", "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks", "id": "2453158", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453158"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-940", "details": ["A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.\nAs a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.\nThis vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.", "A flaw was found in Node.js. The Node.js Permission Model, designed to restrict network access, incorrectly omits permission checks for Unix Domain Socket (UDS) server operations. This allows local code, even when explicitly denied network access, to create and expose inter-process communication (IPC) endpoints. As a result, unauthorized communication can occur between processes on the same host, bypassing the intended network security restrictions."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-21711", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "nodejs22", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "nodejs24", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-30T19:07:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21711\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21711\nhttps://nodejs.org/en/blog/vulnerability/march-2026-security-releases"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[25.8.1,25.8.1]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,5.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,6.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,7.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,8.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,9.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,10.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.0.0,11.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0,12.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[12.0.0,13.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[13.0.0,14.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[14.0.0,15.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[15.0.0,16.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[16.0.0,17.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[17.0.0,18.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[18.0.0,19.0.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[19.0.0,20.0.0)"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "node", "source": "cna", "vendor": "nodejs"}, "product": "nodejs", "vendor": "nodejs"}], "analysis": {"en": {"generated_at": "2026-04-01T06:14:44.156701+00:00", "value": {"mitigation_remediation": ["Upgrade to a Node.js release that includes the fix for missing Unix Domain Socket permission checks.", "If an upgrade is not immediately feasible, disable the Permission Model for processes that do not need it, or include the --allow-net flag only when network access is explicitly required.", "Review application code and system configuration to ensure no unnecessary UDS endpoints are created or exposed.", "Monitor for unexpected IPC activity over Unix Domain Sockets to detect potential misuse."], "summary": {"action": "Apply Patch", "impact": "Unauthorized inter\u2011process communication via Unix Domain Sockets"}, "threat_synthesis": {"affected_systems": "This vulnerability affects Node.js 25.x releases that enable the Permission Model and intentionally omit --allow-net, restricting network access. Processes that do not use the experimental Permission Model or that include --allow-net are not impacted.", "description_and_impact": "A flaw in Node.js\u2019s experimental Permission Model leaves Unix Domain Socket server operations without required permission checks while other network paths enforce them correctly. As a result, a Node.js process running with the --permission flag but without the --allow-net flag can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.", "risk_and_exploitability": "The CVSS score of 5.2 indicates moderate severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, and based on the description it is inferred that exploitation requires a locally running Node.js process configured with --permission and without --allow-net, thus the attack surface is primarily local. No information indicates a remote exploitation vector."}}}}, "created": "2026-03-30T20:55:11.210623+00:00", "updated": "2026-04-02T07:54:02.215840+00:00", "vendors": ["nodejs", "nodejs$PRODUCT$nodejs"]}