Description
A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
References (2)
Core 2
Scores
CVSS v3
1.8
EPSS
0.0021
EPSS Percentile
10.9%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-284
Status
published
Products (3)
nodejs/node
22.22.3
nodejs/node
24.16.0
nodejs/node
26.3.0
Published
Jun 18, 2026
Tracked Since
Jun 18, 2026