CVE-2026-21636

Name of the Vulnerable Software and Affected Versions Node.js version 25

Description A flaw in the permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs, such as URLs or socketPath options, can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. The network permissions (--allow-net) are currently in the experimental phase.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.