Skip to main content

Node CVE-2026-21716

| EUVDEUVD-2026-17180 LOW
Missing Authorization (CWE-862)
2026-03-30 hackerone
3.3
CVSS 3.0 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Ubuntu
MEDIUM
qualitative
SUSE
4.4 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

5
PoC Detected
Apr 01, 2026 - 14:24 vuln.today
Public exploit code
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 30, 2026 - 19:30 euvd
EUVD-2026-17180
Analysis Generated
Mar 30, 2026 - 19:30 vuln.today
CVE Published
Mar 30, 2026 - 19:07 nvd
LOW 3.3

DescriptionCVE.org

An incomplete fix for CVE-2024-36137 leaves FileHandle.chmod() and FileHandle.chown() in the promises API without the required permission checks, while their callback-based equivalents (fs.fchmod(), fs.fchown()) were correctly patched.

As a result, code running under --permission with restricted --allow-fs-write can still use promise-based FileHandle methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.

This vulnerability affects 20.x, 22.x, 24.x, and 25.x processes using the Permission Model where --allow-fs-write is intentionally restricted.

AnalysisAI

Node.js Permission Model bypass in FileHandle.chmod() and FileHandle.chown() promise-based methods allows local authenticated users with restricted --allow-fs-write to modify file permissions and ownership on already-open file descriptors, circumventing intended write restrictions. The vulnerability affects Node.js 20.x, 22.x, 24.x, and 25.x when running under the --permission flag; the callback-based equivalents (fs.fchmod, fs.fchown) were correctly patched in CVE-2024-36137, but the promises API was incompletely fixed. CVSS 3.3 with low real-world impact due to local-only attack vector and requirement for pre-existing file access.

Technical ContextAI

Node.js implements a Permission Model (--permission flag) to restrict file system access in untrusted or sandboxed environments. The vulnerability stems from an incomplete fix to CVE-2024-36137, which patched callback-based fs.fchmod() and fs.fchown() but missed their promise-based equivalents in the FileHandle API (accessible via fs.promises). The promises API provides the same capability to modify file permissions (chmod) and ownership (chown) on open file descriptors but lacks the required permission checks that guard the callback variants. This represents an implementation inconsistency where two code paths for the same operation have divergent security controls. The affected CPE (cpe:2.3:a:nodejs:node:*:*:*:*:*:*:*:*) encompasses all Node.js versions, but the vulnerability is triggered only when running with explicit Permission Model flags.

RemediationAI

Upgrade Node.js to a patched version released after March 2026 per the Node.js security advisory (https://nodejs.org/en/blog/vulnerability/march-2026-security-releases). Debian users should apply DSA-6183-1 (https://security-tracker.debian.org/tracker/dsa-6183-1). Ubuntu users should follow their distribution's security update process for affected releases. In the interim, for environments relying on Permission Model isolation, restrict code execution contexts that require open file descriptor manipulation, or audit FileHandle usage in Promise-based code paths to ensure it does not operate on sensitive files. Verify that both callback-based (fs.fchmod, fs.fchown) and promise-based (FileHandle.chmod, FileHandle.chown) code paths are present in security patches.

Vendor StatusVendor

Ubuntu

Priority: Medium
nodejs
Release Status Version
trusty needs-triage -
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
questing needs-triage -
upstream released 22.22.2+dfsg+~cs22.19.15-1

Debian

nodejs
Release Status Fixed Version Urgency
bullseye vulnerable 12.22.12~dfsg-1~deb11u4 -
bullseye (security) vulnerable 12.22.12~dfsg-1~deb11u7 -
bookworm, bookworm (security) vulnerable 18.20.4+dfsg-1~deb12u1 -
trixie fixed 20.19.2+dfsg-1+deb13u2 -
trixie (security) fixed 20.19.2+dfsg-1+deb13u2 -
forky vulnerable 22.22.1+dfsg+~cs22.19.15-1 -
sid fixed 22.22.2+dfsg+~cs22.19.15-1 -
(unstable) fixed 22.22.2+dfsg+~cs22.19.15-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 12 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Web and Scripting 15 SP7 Fixed
SUSE Linux Enterprise Module for Web and Scripting 15 SP7 Fixed

Share

CVE-2026-21716 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy