CVE-2026-21636
📋 TL;DR
A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled inputs to bypass network restrictions and connect to arbitrary local Unix Domain Sockets. This breaks the intended security boundary, potentially enabling access to privileged local services. Only users of Node.js v25 with the experimental --permission flag enabled are affected.
💻 Affected Systems
- Node.js
📦 What is this software?
Node.js by Nodejs
⚠️ Risk & Real-World Impact
Worst Case
Full privilege escalation leading to complete system compromise, data exfiltration, and persistent backdoor installation via access to privileged local services.
Likely Case
Unauthorized access to local services (databases, APIs, internal tools) leading to data exposure, service disruption, or limited code execution.
If Mitigated
Minimal impact if proper network segmentation, service isolation, and least privilege principles are already implemented.
🎯 Exploit Status
Exploitation requires attacker-controlled input in the application and the --permission flag to be enabled. The vulnerability is straightforward to exploit once these conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v25.x security releases from December 2025
Vendor Advisory: https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
Restart Required: Yes
Instructions:
1. Check current Node.js version with 'node --version'. 2. If running v25.x, upgrade immediately to the latest v25 security release. 3. Update all Node.js applications and restart affected services.
🔧 Temporary Workarounds
Disable Permission Model
allRemove the --permission flag from Node.js startup until patching is possible
Remove '--permission' from all Node.js startup scripts and configurations
Network Isolation
linuxIsolate Node.js applications from sensitive local services using network namespaces or containers
Use Docker containers with limited network access
Implement Linux network namespaces
🧯 If You Can't Patch
- Disable the experimental permission model entirely by removing --permission flag
- Implement strict input validation and sanitization for all URL and socketPath parameters
🔍 How to Verify
Check if Vulnerable:
Check if Node.js version is v25.x and the --permission flag is enabled in process arguments or configurationCheck Version:
node --versionVerify Fix Applied:
Verify Node.js version is updated to December 2025 security release and test that UDS connections respect network permissions📡 Detection & Monitoring
Log Indicators:
- Unexpected connections to local sockets
- Permission model warnings or errors
- Failed network restriction attempts
Network Indicators:
- Unexpected UDS connections from Node.js processes
- Local service access from unauthorized processes
SIEM Query:
process.name:"node" AND (command_line:"--permission" OR command_line:"uds")