Unrated severityOSV Advisory· Published Jan 20, 2026· Updated Jan 21, 2026
CVE-2026-21636
CVE-2026-21636
Description
A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.
- The issue affects users of the Node.js permission model on version v25.
In the moment of this vulnerability, network permissions (--allow-net) are still in the experimental phase.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
18- osv-coords16 versionspkg:apk/chainguard/nodejs-20pkg:apk/chainguard/nodejs-20-docpkg:apk/chainguard/nodejs-22pkg:apk/chainguard/nodejs-22-docpkg:apk/chainguard/nodejs-24pkg:apk/chainguard/nodejs-24-docpkg:apk/chainguard/nodejs-25pkg:apk/wolfi/nodejs-20pkg:apk/wolfi/nodejs-20-docpkg:apk/wolfi/nodejs-22pkg:apk/wolfi/nodejs-22-docpkg:apk/wolfi/nodejs-24pkg:apk/wolfi/nodejs-24-docpkg:apk/wolfi/nodejs-25pkg:bitnami/nodepkg:bitnami/node-min
< 20.20.0-r0+ 15 more
- (no CPE)range: < 20.20.0-r0
- (no CPE)range: < 20.20.0-r0
- (no CPE)range: < 22.22.0-r0
- (no CPE)range: < 22.22.0-r0
- (no CPE)range: < 24.13.0-r0
- (no CPE)range: < 24.13.0-r0
- (no CPE)range: < 25.3.0-r0
- (no CPE)range: < 20.20.0-r0
- (no CPE)range: < 20.20.0-r0
- (no CPE)range: < 22.22.0-r0
- (no CPE)range: < 22.22.0-r0
- (no CPE)range: < 24.13.0-r0
- (no CPE)range: < 24.13.0-r0
- (no CPE)range: < 25.3.0-r0
- (no CPE)range: >= 25.0.0, < 25.3.0
- (no CPE)range: >= 25.0.0, < 25.3.0
Patches
Vulnerability mechanics
References
1News mentions
1- Node.js Fixes 12 Vulnerabilities, Including 2 High-Severity Authentication BypassesCyber Security News · Jun 19, 2026