BIT-node-2026-21636

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/node/BIT-node-2026-21636.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-node-2026-21636

Aliases

Published

2026-01-26T14:48:00.613Z

Modified

2026-02-01T15:43:04.697500Z

Summary

[none]

Details

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.

The issue affects users of the Node.js permission model on version v25.

In the moment of this vulnerability, network permissions (--allow-net) are still in the experimental phase.

Database specific

{
    "severity": "Critical",
    "cpes": [
        "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*"
    ]
}

References

Affected packages

Bitnami / node

Package

Name: node
Purl: pkg:bitnami/node

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

25.0.0

Fixed

25.3.0

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/node/BIT-node-2026-21636.json"