Primary

Context

Node.js Permission Model Bypass Vulnerability in Unix Domain Socket Server Operations

Vulnerability

A vulnerability exists in Node.js 25.x processes using the Permission Model, where the 'allow-net' option is omitted to restrict network access. This flaw allows Unix Domain Socket (UDS) server operations to bypass necessary permission checks, enabling code to create and expose local IPC endpoints. Consequently, communication can occur with other processes on the same host, circumventing intended network restrictions.

Impact

Exploitation of this vulnerability allows for unauthorized creation and exposure of local IPC endpoints, enabling communication with other processes on the same host outside of permitted network boundaries.

Remediation

Users can update to Node.js versions 25.8.2, 24.14.1, or 22.22.2 to address this vulnerability.

Added: Mar 30, 2026, 8:41 PM

Updated: Mar 30, 2026, 8:41 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

0.6

exploitability

3.3

remediation

8.3

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

0.6

exploitability

3.3

remediation

8.3

relevance

4.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Node.js Permission Model Bypass Vulnerability in Unix Domain Socket Server Operations

Vulnerability

Impact

Remediation

Affected Products

Node.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating