PT-2026-28319 · Node.Js+1 · Node.Js+1

Stif

Publicado

2026-01-01

Atualizado

2026-04-21

CVE-2026-21715

CVSS v3.1

3.3

Baixa

Vetor

AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Node.js versions 20.x through 25.x

Description A flaw exists in the Node.js Permission Model's filesystem enforcement, specifically leaving the fs.realpathSync.native() function without the necessary read permission checks. Comparable filesystem functions correctly enforce these checks. Consequently, code operating under the --permission flag with restricted --allow-fs-read can still utilize fs.realpathSync.native() to verify file existence, resolve symbolic link targets, and list filesystem paths outside of authorized directories. The vulnerable function is fs.realpathSync.native(). The affected API endpoint is not explicitly mentioned.

Recommendations Versions 20.x through 25.x are affected and require mitigation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

DoS

Information Disclosure

Incorrect Permission

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200CWE-732

Identificadores relacionados

ALSA-2026:7350

ALSA-2026:7670

ALSA-2026:7675

BDU:2026-04838

BIT-NODE-2026-21715

BIT-NODE-MIN-2026-21715

CVE-2026-21715

MGASA-2026-0071

OESA-2026-1951

OESA-2026-1952

OESA-2026-1953

OESA-2026-1954

OPENSUSE-SU-2026:10504-1

OPENSUSE-SU-2026:20519-1

RHSA-2026:7350

RHSA-2026:7670

RHSA-2026:7675

SUSE-SU-2026:1299-1

SUSE-SU-2026:1363-1

SUSE-SU-2026:1371-1

SUSE-SU-2026:1478-1

SUSE-SU-2026:1509-1

SUSE-SU-2026:21181-1

Produtos afetados

Node.Js

Rocky Linux

PT-2026-28319 · Node.Js+1 · Node.Js+1

CVE-2026-21715

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 121