CVE-2026-21715

CVSS v3.1

3.3

Low

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Node.js versions 20.x through 25.x

Description A flaw exists in the Node.js Permission Model's filesystem enforcement, specifically leaving the fs.realpathSync.native() function without the necessary read permission checks. Comparable filesystem functions correctly enforce these checks. Consequently, code operating under the --permission flag with restricted --allow-fs-read can still utilize fs.realpathSync.native() to verify file existence, resolve symbolic link targets, and list filesystem paths outside of authorized directories. The vulnerable function is fs.realpathSync.native(). The affected API endpoint is not explicitly mentioned.

Recommendations Versions 20.x through 25.x are affected and require mitigation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Information Disclosure

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-732

Related Identifiers

ALSA-2026:7350

ALSA-2026:7670

ALSA-2026:7675

BDU:2026-04838

BIT-NODE-2026-21715

BIT-NODE-MIN-2026-21715

CVE-2026-21715

MGASA-2026-0071

OESA-2026-1951

OESA-2026-1952

OESA-2026-1953

OESA-2026-1954

OPENSUSE-SU-2026:10504-1

OPENSUSE-SU-2026:20519-1

RHSA-2026:7350

RHSA-2026:7670

RHSA-2026:7675

SUSE-SU-2026:1299-1

SUSE-SU-2026:1363-1

SUSE-SU-2026:1371-1

SUSE-SU-2026:1478-1

SUSE-SU-2026:1509-1

SUSE-SU-2026:21181-1

Affected Products

Node.Js

Rocky Linux

CVE-2026-21715

Weakness Enumeration

Related Identifiers

Affected Products

References · 120