CVE-2026-33872 Overview
CVE-2026-33872 is a race condition vulnerability in elixir-nodejs, an Elixir API library for calling Node.js functions. Versions prior to 3.1.4 are affected by a cross-user data leakage issue stemming from improper request-response correlation in the worker protocol. This vulnerability allows sensitive user data to be inadvertently returned to unauthorized parties under high-concurrency conditions.
Critical Impact
In high-throughput environments processing sensitive data such as PII, authentication tokens, or private records, this vulnerability can cause User A's data to be returned to User B, resulting in unauthorized information disclosure that is difficult to trace.
Affected Products
- elixir-nodejs versions prior to 3.1.4
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-33872 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-33872
Vulnerability Analysis
This vulnerability is classified as CWE-362 (Race Condition) and manifests in the worker protocol implementation of elixir-nodejs. The core issue lies in the library's failure to properly correlate requests with their corresponding responses when communicating between Elixir processes and Node.js workers.
Under normal operation, requests are sent to Node.js workers and responses are returned to the calling process. However, the implementation lacks a mechanism to verify which request a particular response belongs to. This creates a "stale response" vulnerability where the worker may return data from the next available item in the buffer rather than the data corresponding to the original request.
The vulnerability is particularly dangerous because it does not produce errors or exceptions. Instead, affected applications receive "valid-looking" data that happens to belong to a different user's session. This silent failure mode makes the issue extremely difficult to detect through standard error monitoring and logging practices.
Root Cause
The root cause of CVE-2026-33872 is the absence of request-response correlation in the worker protocol. When multiple requests are processed concurrently, the worker does not maintain associations between incoming requests and outgoing responses. Combined with timing issues such as timeouts or high concurrent load, this architectural flaw allows responses to be delivered to the wrong caller.
Attack Vector
This vulnerability is exploitable over the network in environments where the elixir-nodejs library processes concurrent requests from multiple users. The attack scenario involves:
- High-concurrency conditions - The vulnerability manifests when multiple users make simultaneous requests
- Timeout or load conditions - Network latency or worker saturation can trigger the race condition
- Buffer misalignment - When a response arrives after a timeout, it may be delivered to a subsequent, unrelated request
- Silent data leakage - User A's sensitive data (PII, tokens, private records) is returned to User B without error indication
The attack is passive in nature—an attacker does not need to actively exploit the system. Simply using the application alongside other users under sufficient load can trigger the data leakage. This makes traditional intrusion detection approaches less effective, as no malicious payloads or attack patterns are involved.
Detection Methods for CVE-2026-33872
Indicators of Compromise
- Users reporting receipt of data belonging to other accounts or sessions
- Audit logs showing inconsistencies between requested resources and returned data
- Anomalous patterns in application behavior during high-load periods
- Customer complaints about seeing unfamiliar or incorrect personal information
Detection Strategies
- Implement application-level correlation tracking to verify response integrity
- Deploy monitoring for request-response timing anomalies in elixir-nodejs worker communications
- Review application logs for evidence of data misalignment between user sessions
- Conduct security audits of high-throughput endpoints that handle sensitive user data
Monitoring Recommendations
- Monitor elixir-nodejs worker pool metrics for signs of buffer contention
- Establish baseline metrics for request processing times and alert on significant deviations
- Implement data integrity checksums at the application layer to detect cross-session contamination
- Configure logging to capture correlation identifiers for all sensitive data transactions
How to Mitigate CVE-2026-33872
Immediate Actions Required
- Upgrade elixir-nodejs to version 3.1.4 or later immediately
- Review application logs and user reports for potential past data leakage incidents
- Assess the sensitivity of data processed through elixir-nodejs to determine breach notification requirements
- Consider temporarily reducing concurrency or implementing rate limiting until the patch is applied
Patch Information
The vulnerability is fixed in elixir-nodejs version 3.1.4. Organizations should upgrade to this version or later to remediate the issue. Technical details about the fix are available in GitHub Pull Request #105 and the GitHub Release v3.1.4. The complete security advisory is documented in GHSA-rwcr-rpcc-3g9m.
Workarounds
- Reduce concurrent request volume to minimize race condition triggers until patching is complete
- Implement application-level request-response correlation as a defense-in-depth measure
- Avoid processing highly sensitive data through affected elixir-nodejs versions
- Consider implementing a queuing mechanism to serialize requests as a temporary mitigation
# Update elixir-nodejs to patched version
mix deps.update nodejs
# Verify installed version is 3.1.4 or later
mix deps | grep nodejs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
