Primary

Context

Node.js Unix Domain Socket Permission Model Bypass Vulnerability

Vulnerability

Patched

A vulnerability in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when the permission model is enabled. Even without allowing network access, attacker-controlled inputs can connect to arbitrary local sockets through various modules, breaking the intended security boundaries and potentially leading to privilege escalation, data exposure, or local code execution. This issue affects Node.js version 25.x, at a time when network permissions were still experimental.

Impact

Exploitation of this vulnerability could allow unauthorized access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.

Remediation

Users can update to Node.js versions 25.4.0, 24.13.0, or 22.22.0, all of which include the patch for this vulnerability.

Added: Jan 20, 2026, 9:23 PM

Updated: Jan 20, 2026, 9:23 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

3.1

exploitability

4.7

remediation

7.7

relevance

2.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

3.1

exploitability

4.7

remediation

7.7

relevance

2.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Node.js Unix Domain Socket Permission Model Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Node.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating