CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-21636

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 2.6%

CVSS Severity

CVSS v3 Score 5.8

References

https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Products affected by CVE-2026-21636

Nodejs » Node.js » Version: Any

cpe:2.3:a:nodejs:node.js:*

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-21636

Products

Pricing

Contact Us