Executive Summary

CVE-2026-33872 is a vulnerability in the elixir-nodejs library, which provides an Elixir API for calling Node.js functions. The issue arises from a race condition in the worker protocol where there is no mechanism to correlate responses with their originating requests.

Because the worker does not verify which request a response belongs to, a delayed or "stale" response from a previous request can be mistakenly delivered to a subsequent, unrelated request. This leads to cross-user data leakage or information disclosure.

In high concurrency or timeout situations, sensitive data such as personally identifiable information (PII), authentication tokens, or private records belonging to one user may be returned to another user. The application does not throw errors but instead returns seemingly valid yet incorrect data.

The vulnerability was fixed in version 3.1.4 by introducing a unique correlation ID system that ensures responses are matched only to their originating requests, preventing stale responses from being delivered incorrectly.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information between users. Specifically, data intended for one user (User A) may be mistakenly returned to another user (User B) due to the race condition in the worker protocol.

Such cross-user data leakage can expose personally identifiable information, authentication tokens, or private records, potentially compromising user privacy and security.

Because the application does not generate errors when this occurs, it can be difficult to detect and trace the source of the data leakage.

This issue is especially problematic in high-throughput or concurrent environments where many requests are processed simultaneously, increasing the likelihood of stale responses being delivered incorrectly.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises from a race condition in the elixir-nodejs worker protocol where responses may be mismatched to requests, especially under high concurrency or timeout conditions. Detection involves monitoring for unexpected or stale responses being delivered to callers, which may manifest as incorrect or cross-user data leakage.

Since the issue is related to asynchronous calls timing out and responses arriving late, one way to detect it is by running tests that simulate high concurrency and timeouts to observe if stale or out-of-order responses occur.

Specifically, you can reproduce the issue by invoking NodeJS.call/3 calls with forced timeouts and checking if responses correspond correctly to the requests. Observing logs or adding instrumentation to track request IDs and response IDs can help detect mismatches.

No explicit network or system commands are provided in the resources, but testing can be done within the Elixir environment using asynchronous tests (e.g., ExUnit) that simulate concurrent calls and timeouts to the elixir-nodejs worker.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the elixir-nodejs package to version 3.1.4 or later, where the vulnerability has been fixed by introducing a unique correlation ID system that ensures responses are matched to their originating requests.

This fix prevents stale or mismatched responses by filtering out any responses that do not match the current request's unique ID, thereby eliminating cross-user data leakage.

If upgrading immediately is not possible, a temporary workaround discussed includes terminating the GenServer process on timeouts to clear stale state, though this is considered inelegant and less preferable than upgrading.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in elixir-nodejs prior to version 3.1.4 causes unauthorized cross-user data leakage or information disclosure due to a race condition in the worker protocol. Sensitive user data such as personally identifiable information (PII), authentication tokens, or private records can be mistakenly returned to the wrong user under high concurrency or timeout conditions.

This unauthorized disclosure of sensitive data can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to prevent unauthorized access and leakage of personal and sensitive information.

Because the vulnerability results in data being exposed to unintended recipients without generating errors, it complicates detection and auditing, further increasing the risk of regulatory violations related to data confidentiality and integrity.

Useful 0 Not Useful 0