CVE-2026-21715 Overview
CVE-2026-21715 is a permission enforcement flaw in the Node.js Permission Model. The fs.realpathSync.native() function does not enforce the read permission checks that all comparable filesystem functions correctly apply. Code running under --permission with restricted --allow-fs-read can call fs.realpathSync.native() to check file existence, resolve symbolic link targets, and enumerate filesystem paths outside permitted directories. The issue affects Node.js 20.x, 22.x, 24.x, and 25.x release lines. The weakness is classified as [CWE-732] (Incorrect Permission Assignment for Critical Resource).
Critical Impact
Local code running with intentionally restricted filesystem read permissions can bypass the Node.js Permission Model to disclose information about files and directories outside its allowlist.
Affected Products
- Node.js 20.x release line
- Node.js 22.x release line
- Node.js 24.x and 25.x release lines
Discovery Timeline
- 2026-03-30 - CVE-2026-21715 published to the National Vulnerability Database (NVD)
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-21715
Vulnerability Analysis
The Node.js Permission Model, enabled with the --permission flag, restricts a process to filesystem locations declared through --allow-fs-read and --allow-fs-write. The model mediates filesystem APIs so that calls outside the allowlist fail with ERR_ACCESS_DENIED.
CVE-2026-21715 stems from a missing permission check in the native code path backing fs.realpathSync.native(). While fs.realpathSync(), fs.access(), fs.stat(), and related calls correctly invoke the permission check, the native variant skips it. An attacker controlling JavaScript executed inside a permission-restricted process can call fs.realpathSync.native() against arbitrary absolute paths.
The function returns the canonical path of the supplied input. The behavior leaks three categories of information. First, it discloses whether a target path exists by returning a value or throwing ENOENT. Second, it resolves symbolic links, revealing their targets. Third, it enables directory enumeration by probing candidate paths. Confidentiality is impacted; integrity and availability are not.
Root Cause
The native realpath binding in libuv-backed code does not call the Permission Model gate that wraps the JavaScript-level fs surface. The omission represents an incomplete enforcement of a security policy rather than a logic flaw in path resolution itself. See the Node.js March 2026 Security Blog for vendor technical details.
Attack Vector
Exploitation requires the ability to execute JavaScript inside a Node.js process started with --permission and a constrained --allow-fs-read allowlist. This scenario typically arises in sandboxed plugin hosts, multi-tenant runtimes, or applications that load untrusted third-party modules under permission restrictions. The attacker calls fs.realpathSync.native('/path/outside/allowlist') and inspects the return value or exception type to infer filesystem state. No network access, elevated privileges, or user interaction is required.
No public proof-of-concept exploit is listed for this CVE.
Detection Methods for CVE-2026-21715
Indicators of Compromise
- Calls to fs.realpathSync.native() originating from untrusted modules within a permission-restricted Node.js process.
- Application logs showing successful path resolutions for files outside the configured --allow-fs-read allowlist.
- Unexpected exceptions referencing paths outside the allowlist that returned ENOENT rather than ERR_ACCESS_DENIED.
Detection Strategies
- Audit Node.js application source and dependency trees for direct or transitive use of fs.realpathSync.native().
- Inventory production hosts running Node.js 20.x, 22.x, 24.x, or 25.x with the --permission flag to identify exposed processes.
- Enable Node.js process tracing to log filesystem API invocations and compare resolved paths against the declared allowlist.
Monitoring Recommendations
- Forward Node.js process telemetry, including command-line flags and module load events, to a central analytics platform for review.
- Alert on permission-restricted processes that throw ENOENT for paths outside their allowlist, which suggests probing behavior.
- Track third-party package updates that introduce calls to native filesystem APIs in sandboxed contexts.
How to Mitigate CVE-2026-21715
Immediate Actions Required
- Upgrade Node.js to the patched release for the 20.x, 22.x, 24.x, or 25.x branch as published in the March 2026 security release.
- Identify all production workloads relying on --permission and --allow-fs-read and prioritize them for patching.
- Review untrusted code loaded into permission-restricted processes for use of fs.realpathSync.native().
Patch Information
The Node.js project addressed the missing permission check in the March 2026 security releases across the 20.x, 22.x, 24.x, and 25.x branches. Refer to the Node.js March 2026 Security Blog for fixed version numbers and download links.
Workarounds
- Override fs.realpathSync.native at process startup with a wrapper that validates inputs against the allowlist before delegating to the original function.
- Avoid loading untrusted modules into Node.js processes that rely on the Permission Model for filesystem confidentiality until the patch is deployed.
- Treat the Permission Model as defense-in-depth rather than a sole boundary, and isolate untrusted workloads using OS-level sandboxing such as containers, seccomp, or AppArmor.
# Configuration example: pin to a patched Node.js release and launch with restricted filesystem reads
node --permission --allow-fs-read=/srv/app/data ./server.js
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
