CVE-2026-21711

Name of the Vulnerable Software and Affected Versions Node.js versions 25.x

Description A flaw in the Node.js Permission Model’s network enforcement allows Unix Domain Socket (UDS) server operations to proceed without the necessary permission checks. All other network paths correctly enforce these checks. Consequently, code running under --permission without --allow-net can create and expose local Inter-Process Communication (IPC) endpoints, enabling communication with other processes on the same host, bypassing the intended network restriction boundary. The --allow-net feature is currently experimental.

Recommendations For Node.js version 25.x, avoid running processes under --permission without including the --allow-net flag to restrict network access.