CVE-2026-21711

CVSS v3.1

5.3

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Node.js versions 25.x

Description A flaw in the Node.js Permission Model’s network enforcement allows Unix Domain Socket (UDS) server operations to proceed without the necessary permission checks. All other network paths correctly enforce these checks. Consequently, code running under --permission without --allow-net can create and expose local Inter-Process Communication (IPC) endpoints, enabling communication with other processes on the same host, bypassing the intended network restriction boundary. The --allow-net feature is currently experimental.

Recommendations For Node.js version 25.x, avoid running processes under --permission without including the --allow-net flag to restrict network access.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

ALSA-2026:7350

ALSA-2026:7670

ALSA-2026:7675

BIT-NODE-2026-21711

BIT-NODE-MIN-2026-21711

CVE-2026-21711

RHSA-2026:7350

RHSA-2026:7670

RHSA-2026:7675

Affected Products

Node.Js

Rocky Linux

CVE-2026-21711

Weakness Enumeration

Related Identifiers

Affected Products

References · 59