DirectorySecurity AdvisoriesPricing
/
Sign in
Security Advisories

CVE-2026-21636

NVD

https://nvd.nist.gov/vuln/detail/CVE-2026-21636

Severity

10.0

Critical

CVSS V3

Eliminate CVEs with Chainguard hardened images

Build, ship, and run secure software with minimal, hardened container images — rebuilt from source daily and guarded under our industry-leading remediation SLA.

Start for free

Description

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution.

  • The issue affects users of the Node.js permission model on version v25.

In the moment of this vulnerability, network permissions (--allow-net) are still in the experimental phase.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2026-21636
  • https://github.com/advisories/GHSA-7xhv-hcmf-4rfv
  • https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Affected packages

The trusted source for open source

Talk to an expert
© 2025 Chainguard. All Rights Reserved.
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0Golden ImagesCVE RemediationPublic Sector

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogPartnersNewsroomCareersLegal