Vulnerability DatabaseCVE-2026-21711
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-21711
March 23, 2026
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under --permission without --allow-net can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary. This vulnerability affects Node.js 25.x processes using the Permission Model where --allow-net is intentionally omitted to restrict network access. Note that --allow-net is currently an experimental feature.
Affected Packages
https://github.com/nodejs/node.git (GITHUB):
Affected version(s) >=v25.0.0 <v25.8.2
Fix Suggestion:
Update to version v25.8.2
https://github.com/nodejs/node.git (GITHUB):
Affected version(s) >=v25.0.0 <v25.8.2
Fix Suggestion:
Update to version v25.8.2
https://github.com/nodejs/node.git (GITHUB):
Affected version(s) >=v25.0.0 <v25.8.2
Fix Suggestion:
Update to version v25.8.2
Related ResourcesĀ (1)
https://nodejs.org/en/blog/vulnerability/march-2026-security-releases
Do you need more information?
Contact Us
CVSS v3
Base Score:
9.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE