CVE-2026-21636
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2026-21636, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-20

Last updated on: 2026-01-30

Assigner: HackerOne

Description

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-20
Last Modified
2026-01-30
Generated
2026-07-06
AI Q&A
2026-01-20
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nodejs node.js From 25.0.0 (inc) to 25.3.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a flaw in Node.js's permission model that allows Unix Domain Socket (UDS) connections to bypass network restrictions when the '--permission' flag is enabled. Even if the '--allow-net' permission is not granted, attacker-controlled inputs like URLs or socketPath options can connect to arbitrary local sockets using net, tls, or undici/fetch modules. This breaks the intended security boundary of the permission model.

Impact Analysis

The vulnerability can allow attackers to access privileged local services, which may lead to privilege escalation, exposure of sensitive data, or local code execution on the affected system.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21636. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart