CVE-2026-21636
BaseFortify
Publication date: 2026-01-20
Last updated on: 2026-01-30
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nodejs | node.js | From 25.0.0 (inc) to 25.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw in Node.js's permission model that allows Unix Domain Socket (UDS) connections to bypass network restrictions when the '--permission' flag is enabled. Even if the '--allow-net' permission is not granted, attacker-controlled inputs like URLs or socketPath options can connect to arbitrary local sockets using net, tls, or undici/fetch modules. This breaks the intended security boundary of the permission model.
How can this vulnerability impact me? :
The vulnerability can allow attackers to access privileged local services, which may lead to privilege escalation, exposure of sensitive data, or local code execution on the affected system.