BIT-NODE-2026-21715

A flaw in Node.js Permission Model filesystem enforcement leaves fs.realpathSync.native without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under --permission with restricted --allow-fs-read can still use...

CVE-2026-21711

A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket UDS server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under --permission without --allow-net can create and expose local IP...

Linux Distros Unpatched Vulnerability : CVE-2025-23083

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - With the aid of the diagnosticschannel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also...

Linux Distros Unpatched Vulnerability : CVE-2024-21890

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example:...

BIT-NODE-MIN-2023-30583

fs.openAsBlob can bypass the experimental permission model when using the file system read restriction with the --allow-fs-read flag in Node.js 20. This flaw arises from a missing check in the fs.openAsBlob API. Please note that at the time this CVE was issued, the permission model is an...

Internet Bug Bounty: OpenSSL engines can be used to bypass and/or disable the Node.js permission model

Arbitrary OpenSSL engines could be loaded in Node.js 20, bypassing and disabling the permission model. This allowed for the execution of arbitrary code, unaffected by the permission model...