CVE-2026-21711

MEDIUM

Node.js 25.x - Privilege Escalation

Title source: llm

Description

A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary. This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.

References (1)

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

Scores

CVSS v3 5.3

EPSS 0.0000

EPSS Percentile 0.2%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (17)

nodejs/node 10.0 - 10.*

nodejs/node 11.0 - 11.*

nodejs/node 12.0 - 12.*

nodejs/node 13.0 - 13.*

nodejs/node 14.0 - 14.*

nodejs/node 15.0 - 15.*

nodejs/node 16.0 - 16.*

nodejs/node 17.0 - 17.*

nodejs/node 18.0 - 18.*

nodejs/node 19.0 - 19.*

... and 7 more

Published Mar 30, 2026

Tracked Since Mar 31, 2026