CVE-2026-33872
Race Condition in elixir-nodejs Causes Cross-User Data Leakage
Publication date: 2026-03-27
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| revelrylabs | elixir-nodejs | 3.1.4 |
| revelrylabs | elixir-nodejs | to 3.1.4 (exc) |
| elixir_nodejs | elixir_nodejs | to 3.1.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in elixir-nodejs prior to version 3.1.4 causes unauthorized cross-user data leakage or information disclosure due to a race condition in the worker protocol. Sensitive user data such as personally identifiable information (PII), authentication tokens, or private records can be mistakenly returned to the wrong user under high concurrency or timeout conditions.
This unauthorized disclosure of sensitive data can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to prevent unauthorized access and leakage of personal and sensitive information.
Because the vulnerability results in data being exposed to unintended recipients without generating errors, it complicates detection and auditing, further increasing the risk of regulatory violations related to data confidentiality and integrity.
Can you explain this vulnerability to me?
CVE-2026-33872 is a vulnerability in the elixir-nodejs library, which provides an Elixir API for calling Node.js functions. The issue arises from a race condition in the worker protocol where there is no mechanism to correlate responses with their originating requests.
Because the worker does not verify which request a response belongs to, a delayed or "stale" response from a previous request can be mistakenly delivered to a subsequent, unrelated request. This leads to cross-user data leakage or information disclosure.
In high concurrency or timeout situations, sensitive data such as personally identifiable information (PII), authentication tokens, or private records belonging to one user may be returned to another user. The application does not throw errors but instead returns seemingly valid yet incorrect data.
The vulnerability was fixed in version 3.1.4 by introducing a unique correlation ID system that ensures responses are matched only to their originating requests, preventing stale responses from being delivered incorrectly.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information between users. Specifically, data intended for one user (User A) may be mistakenly returned to another user (User B) due to the race condition in the worker protocol.
Such cross-user data leakage can expose personally identifiable information, authentication tokens, or private records, potentially compromising user privacy and security.
Because the application does not generate errors when this occurs, it can be difficult to detect and trace the source of the data leakage.
This issue is especially problematic in high-throughput or concurrent environments where many requests are processed simultaneously, increasing the likelihood of stale responses being delivered incorrectly.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from a race condition in the elixir-nodejs worker protocol where responses may be mismatched to requests, especially under high concurrency or timeout conditions. Detection involves monitoring for unexpected or stale responses being delivered to callers, which may manifest as incorrect or cross-user data leakage.
Since the issue is related to asynchronous calls timing out and responses arriving late, one way to detect it is by running tests that simulate high concurrency and timeouts to observe if stale or out-of-order responses occur.
Specifically, you can reproduce the issue by invoking NodeJS.call/3 calls with forced timeouts and checking if responses correspond correctly to the requests. Observing logs or adding instrumentation to track request IDs and response IDs can help detect mismatches.
No explicit network or system commands are provided in the resources, but testing can be done within the Elixir environment using asynchronous tests (e.g., ExUnit) that simulate concurrent calls and timeouts to the elixir-nodejs worker.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the elixir-nodejs package to version 3.1.4 or later, where the vulnerability has been fixed by introducing a unique correlation ID system that ensures responses are matched to their originating requests.
This fix prevents stale or mismatched responses by filtering out any responses that do not match the current request's unique ID, thereby eliminating cross-user data leakage.
If upgrading immediately is not possible, a temporary workaround discussed includes terminating the GenServer process on timeouts to clear stale state, though this is considered inelegant and less preferable than upgrading.