Vulnerability in Node.js Affects Unix Domain Socket Operations
CVE-2026-21711

5.3MEDIUM

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 30 March 2026

What is CVE-2026-21711?

A vulnerability in the Node.js Permission Model undermines proper network enforcement for Unix Domain Socket (UDS) server operations. This flaw allows processes running without explicit network permissions to expose local IPC endpoints, facilitating unintended communication with other processes on the same host. When --permission is active, the absence of --allow-net—which is designed to restrict network access—fails to enforce needed permission checks, thus breaching the intended security boundary. This exposes a potential risk for applications relying on Node.js 25.x that utilize the Permission Model.

Affected Version(s)

node 25.8.1

node 4.0 < 4.*

node 5.0 < 5.*

References

https://nodejs.org/en/blog/vulnerability/march-2026-secur...

CVSS V3.0

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 30, 2026
Vulnerability Reserved
Jan 4, 2026

CVE-2026-21711 Data

JSON

Nodejs

What is CVE-2026-21711?

Affected Version(s)

References

CVSS V3.0

Timeline