Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2026-21636

Good to know:

icon
icon

Date: January 20, 2026

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when "--permission" is enabled. Even without "--allow-net", attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions ("--allow-net") are still in the experimental phase.

Severity Score

Related Resources (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-21636
https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
https://nodejs.org/en/blog/vulnerability/december-2025-security-releases#timeout-based-race-conditions-make-uint8arraybufferalloc-non-zerofilled-cve-2025-55131---high
https://www.mend.io/vulnerability-database/CVE-2026-21636

Severity Score

Weakness Type (CWE)

Improper Access Control

CWE-284

Top Fix

icon

Upgrade Version

Upgrade to version https://github.com/nodejs/node.git - v20.20.0;https://github.com/nodejs/node.git - v22.22.0;https://github.com/nodejs/node.git - v24.13.0;https://github.com/nodejs/node.git - v25.3.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us