Lucene search
K

19 matches found

CVE
CVE
added 2026/06/26 1:14 a.m.28 views

CVE-2026-48936

CVE-2026-48936: A flaw in the Node.js Permission API can cause a local server to start via a Unix domain socket without the --allow-net permission, affecting the Node.js 26 release line. Connected sources indicate this has been fixed in the nodejs26-26.3.1-1.1 package (openSUSE Tumbleweed) and re...

3.3CVSS6.6AI score0.00154EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/06/26 1:14 a.m.40 views

CVE-2026-48935

A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. --allow-fs-read. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

3.3CVSS0.00154EPSS
Exploits0References1
OSV
OSV
added 2026/06/23 2:50 p.m.4 views

BIT-NODE-2026-48617

A flaw in Node.js Permission Model enforcement allows Bypass via process.report.writeReport Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: Node.js 22,...

1.8CVSS5.9AI score0.00208EPSS
Exploits0References3
AlpineLinux
AlpineLinux
added 2026/06/18 4:21 p.m.5 views

CVE-2026-48617

A flaw in Node.js Permission Model enforcement allows Bypass via process.report.writeReport Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: Node.js 22,...

1.8CVSS5.8AI score0.00208EPSS
Exploits0
Debian CVE
Debian CVE
added 2026/06/18 4:21 p.m.8 views

CVE-2026-48617

A flaw in Node.js Permission Model enforcement allows Bypass via process.report.writeReport Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: Node.js 22,...

1.8CVSS4.6AI score0.00208EPSS
Exploits0
OSV
OSV
added 2026/04/06 7:58 a.m.4 views

BIT-NODE-2026-21715

A flaw in Node.js Permission Model filesystem enforcement leaves fs.realpathSync.native without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under --permission with restricted --allow-fs-read can still use...

3.3CVSS6.3AI score0.00158EPSS
Exploits0References2
Debian CVE
Debian CVE
added 2026/03/30 7:7 p.m.3 views

CVE-2026-21711

A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket UDS server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under --permission without --allow-net can create and expose local IP...

5.3CVSS6.3AI score0.00146EPSS
Exploits0
OSV
OSV
added 2026/01/26 2:48 p.m.4 views

BIT-NODE-2026-21636

A flaw in Node.js's permission model allows Unix Domain Socket UDS connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs such as URLs or socketPath options can connect to arbitrary local sockets via net, tls, or undici/fetch...

10CVSS6AI score0.00663EPSS
Exploits1References2
UbuntuCve
UbuntuCve
added 2026/01/20 9:16 p.m.4 views

CVE-2026-21636

A flaw in Node.js's permission model allows Unix Domain Socket UDS connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs such as URLs or socketPath options can connect to arbitrary local sockets via net, tls, or undici/fetch...

10CVSS6.6AI score0.00663EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/01/20 8:41 p.m.34 views

CVE-2025-55132

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via futimes even when the process has only read permissions. Unlike utimes, futimes does not apply the expected write-permission checks, which means file metadata can be modified in read-only...

2.8CVSS0.00227EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/01/20 8:41 p.m.1 views

CVE-2025-55132

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via futimes even when the process has only read permissions. Unlike utimes, futimes does not apply the expected write-permission checks, which means file metadata can be modified in read-only...

2.8CVSS5.5AI score0.00227EPSS
Exploits0References1
OSV
OSV
added 2026/01/20 8:41 p.m.4 views

CVE-2025-55132

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via futimes even when the process has only read permissions. Unlike utimes, futimes does not apply the expected write-permission checks, which means file metadata can be modified in read-only...

2.8CVSS5.4AI score0.00227EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2026/01/20 8:41 p.m.4 views

CVE-2026-21636

A flaw in Node.js's permission model allows Unix Domain Socket UDS connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs such as URLs or socketPath options can connect to arbitrary local sockets via net, tls, or undici/fetch...

10CVSS6.8AI score0.00663EPSS
Exploits1
Tenable Nessus
Tenable Nessus
added 2025/03/06 12:0 a.m.9 views

Linux Distros Unpatched Vulnerability : CVE-2025-23083

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - With the aid of the diagnosticschannel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also...

7.7CVSS6.9AI score0.00413EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2025/03/05 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2024-21890

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example:...

6.5CVSS6.6AI score0.00945EPSS
Exploits0References2
OSV
OSV
added 2024/12/16 1:59 p.m.14 views

BIT-NODE-MIN-2023-30583

fs.openAsBlob can bypass the experimental permission model when using the file system read restriction with the --allow-fs-read flag in Node.js 20. This flaw arises from a missing check in the fs.openAsBlob API. Please note that at the time this CVE was issued, the permission model is an...

7.5CVSS6AI score0.00722EPSS
Exploits0References3
BDU FSTEC
BDU FSTEC
added 2024/06/10 12:0 a.m.7 views

The vulnerability of the Permission Model component of the Node.js software platform, which allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of the Permission Model component of the Node.js software platform is related to insufficient technical documentation. Exploiting this vulnerability could allow an attacker to gain unauthorized access to protected information...

5CVSS6.6AI score0.00945EPSS
Exploits0References5Affected Software2
OSV
OSV
added 2024/02/20 2:15 a.m.2 views

UBUNTU-CVE-2024-21890

The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: --allow-fs-read=/home/node/.ssh/.pub will ignore pub and give access to everything after .ssh/. This misleading documentation affects all users...

6.5CVSS6.9AI score0.00945EPSS
Exploits0References4
Hacker One
Hacker One
added 2023/07/31 11:0 p.m.37 views

Internet Bug Bounty: OpenSSL engines can be used to bypass and/or disable the Node.js permission model

Arbitrary OpenSSL engines could be loaded in Node.js 20, bypassing and disabling the permission model. This allowed for the execution of arbitrary code, unaffected by the permission model...

7.5CVSS7.4AI score0.01348EPSS
Exploits0
Rows per page
Query Builder