CVE-2026-21711

const net = require('net'); const fs = require('fs'); // Define the socket path const socketPath = '/tmp/cve_2026_21711.sock'; // Clean up if the socket file already exists if (fs.existsSync(socketPath)) { fs.unlinkSync(socketPath); } // Create a Unix Domain Socket server const server = net.createServer((socket) => { console.log('Client connected to UDS'); socket.on('data', (data) => { console.log('Received data:', data.toString()); }); socket.write('ECHO: Connection established'); }); // Start listening server.listen(socketPath, () => { console.log(`Server listening on ${socketPath}`); }); /* Usage: Run the script with the permission flag but without allowing network access. Command: node --permission test.js Expected Result: Server starts successfully despite lacking --allow-net. */

{"cve": {"id": "CVE-2026-21711", "sourceIdentifier": "[email protected]", "published": "2026-03-30T20:16:19.260", "lastModified": "2026-04-01T16:23:48.813", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.\r\n\r\nAs a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.\r\n\r\nThis vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature."}, {"lang": "es", "value": "Un fallo en la aplicación de red del Modelo de Permisos de Node.js deja las operaciones del servidor de Sockets de Dominio Unix (UDS) sin las comprobaciones de permisos requeridas, mientras que todas las rutas de red comparables las aplican correctamente.\n\nComo resultado, el código que se ejecuta bajo --permission sin --allow-net puede crear y exponer puntos finales IPC locales, permitiendo la comunicación con otros procesos en el mismo host fuera del límite de restricción de red previsto.\n\nEsta vulnerabilidad afecta a los procesos de Node.js 25.x que utilizan el Modelo de Permisos donde se omite intencionadamente --allow-net para restringir el acceso a la red. Tenga en cuenta que --allow-net es actualmente una característica experimental."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases", "source": "[email protected]"}]}}