Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-21636

CVE-2026-21636: Node.js Privilege Escalation Vulnerability

CVE-2026-21636 is a privilege escalation flaw in Node.js that allows Unix Domain Socket connections to bypass network restrictions. This post explains its impact, affected versions, and mitigation steps.

Published:

CVE-2026-21636 Overview

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.

Critical Impact

This vulnerability allows attackers to bypass Node.js's experimental permission model and access privileged local services through Unix Domain Sockets, potentially enabling privilege escalation or local code execution.

Affected Products

  • Node.js v25 (users of the permission model feature)

Discovery Timeline

  • 2026-01-20 - CVE CVE-2026-21636 published to NVD
  • 2026-01-21 - Last updated in NVD database

Technical Details for CVE-2026-21636

Vulnerability Analysis

This vulnerability represents an Authorization Bypass in Node.js's experimental permission model. The flaw allows processes running under the --permission flag to circumvent network access restrictions by exploiting Unix Domain Socket (UDS) connections. The permission model is designed to sandbox Node.js applications by restricting access to file system, network, and other resources. However, the implementation fails to properly validate socket connections when the target is a local Unix domain socket rather than a network address.

The vulnerability is classified under CWE-284 (Improper Access Control), indicating a fundamental gap in how the permission model enforces its security boundaries. While network permissions (--allow-net) remain in the experimental phase, users relying on this feature for security isolation are exposed to potential bypass attacks.

Root Cause

The root cause lies in the incomplete enforcement of network restrictions within Node.js's permission model. When evaluating whether a connection should be permitted, the permission system does not adequately distinguish between traditional network sockets and Unix Domain Sockets. This oversight allows connections to local socket files even when --allow-net has not been granted.

The net, tls, and undici/fetch modules can all be leveraged to establish connections to arbitrary local sockets by supplying attacker-controlled inputs such as specially crafted URLs or socketPath options. Since UDS connections are treated differently than TCP/IP connections by the permission check logic, they slip through the security boundary.

Attack Vector

An attacker can exploit this vulnerability by providing malicious input to a Node.js application running with the --permission flag. The attack scenario involves:

  1. Identifying a Node.js application using the permission model for security sandboxing
  2. Supplying crafted input (URLs or socket path configurations) to the application
  3. The application attempts to connect using net.connect(), tls.connect(), or fetch() with the malicious socket path
  4. The connection bypasses the --allow-net restriction and reaches privileged local services
  5. The attacker gains access to sensitive data or can trigger actions on local services (e.g., Docker socket, database sockets)

The vulnerability allows attackers to communicate with privileged local services that typically trust local connections, potentially leading to container escapes, database access, or other escalation scenarios.

Detection Methods for CVE-2026-21636

Indicators of Compromise

  • Unexpected connections to Unix domain sockets from Node.js processes running with --permission flag
  • Log entries showing socket connections to paths like /var/run/docker.sock, /var/run/mysql.sock, or other privileged service sockets
  • Application behavior indicating unauthorized access to local services despite permission model restrictions

Detection Strategies

  • Monitor Node.js process arguments for usage of --permission flag without corresponding --allow-net permission
  • Implement file system auditing on critical Unix domain socket files to detect unexpected access
  • Review application logs for socket connection attempts to sensitive local services
  • Deploy endpoint detection to identify anomalous local socket communication patterns

Monitoring Recommendations

  • Enable audit logging for Unix domain socket access on systems running sandboxed Node.js applications
  • Configure alerts for Node.js processes making connections to privileged socket paths
  • Implement network monitoring to detect unusual local inter-process communication
  • Review application input handling for socket path or URL parameters that could be user-controlled

How to Mitigate CVE-2026-21636

Immediate Actions Required

  • Upgrade Node.js v25 to the latest patched version addressing this vulnerability
  • Review all applications using the --permission flag and assess their exposure to user-controlled socket paths
  • Implement additional input validation to sanitize any user-supplied URLs or socket path configurations
  • Consider file system permissions to restrict access to sensitive Unix domain sockets

Patch Information

Node.js has released security updates addressing this vulnerability in the December 2025 Security Releases. Users should upgrade to the patched version of Node.js v25 to remediate this issue. The fix properly enforces permission model restrictions on Unix Domain Socket connections.

Workarounds

  • Avoid relying solely on Node.js's experimental permission model for security-critical sandboxing
  • Use operating system-level security mechanisms (containers, seccomp, AppArmor) as additional defense layers
  • Restrict file system permissions on sensitive Unix domain socket files to prevent unauthorized access
  • Validate and sanitize all user-controlled inputs that could influence socket connection parameters
bash
# Restrict access to sensitive socket files
chmod 600 /var/run/docker.sock
chown root:root /var/run/docker.sock

# Consider using socket activation with restricted access
# Or use container isolation for untrusted Node.js applications

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.