CVE-2026-21636

CRITICAL EPSS 47.1%
Published Jan 20, 20265mo ago · Modified Jun 17, 20261w ago
10.0 CVSS 3.1
Critical
Find Similar
Published Jan 20, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase.

CVSS Details

Base Score
10.0
Exploitability
3.9
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
47.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-284

Affected Products 1

VendorProductVersionRange
nodejsnode.js*≥25.0.0  –  <25.3.0

References 1

  • nodejs.org https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
    Release NotesVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.