Skip to main content

Cross-User Data Leakage CVE-2026-33872

HIGH
Race Condition (CWE-362)
2026-03-26 https://github.com/revelrylabs/elixir-nodejs
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 18:30 vuln.today
Patch released
Mar 26, 2026 - 18:30 nvd
Patch available
CVE Published
Mar 26, 2026 - 18:23 nvd
HIGH 7.1

DescriptionGitHub Advisory

Impact

This vulnerability results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol.

The lack of request-response correlation creates a "stale response" vulnerability. Because the worker does not verify which request a response belongs to, it may return the next available data in the buffer to an unrelated caller.

In high-throughput environments where the library processes sensitive user data (e.g., PII, authentication tokens, or private records), a timeout or high concurrent load can cause Data A (belonging to User A) to be returned to User B.

This may lead to unauthorized information disclosure that is difficult to trace, as the application may not throw an error but instead provide "valid-looking" yet entirely incorrect and private data to the wrong session.

Patches

fixed in v3.1.4

Resources

https://github.com/revelrylabs/elixir-nodejs/issues/100

https://github.com/revelrylabs/elixir-nodejs/pull/105

AnalysisAI

Cross-user data leakage in elixir-nodejs library versions prior to 3.1.4 allows authenticated users to receive sensitive data belonging to other users through a race condition in the worker protocol's request-response handling. The lack of request-response correlation causes stale responses to be delivered to unrelated callers in high-throughput environments, potentially exposing PII, authentication tokens, or private records. No public exploit identified at time of analysis, though the vulnerability is documented in GitHub issue #100 with technical details publicly available.

Technical ContextAI

The elixir-nodejs library (CPE: pkg:erlang/nodejs) provides Elixir-to-Node.js interoperability through a worker protocol. This vulnerability is rooted in CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization - Race Condition). The worker implementation fails to correlate requests with their corresponding responses, creating a shared buffer scenario where under concurrent load or timeout conditions, responses can be dequeued by the wrong caller. In high-throughput production environments processing multiple concurrent requests, the worker may return buffered data from User A's request to User B's subsequent request without validation, creating a classic race condition that manifests as information disclosure rather than system instability.

RemediationAI

Upgrade elixir-nodejs to version 3.1.4 or later, which contains the vendor-released patch addressing the race condition (release notes at https://github.com/revelrylabs/elixir-nodejs/releases/tag/v3.1.4, technical fix in pull request https://github.com/revelrylabs/elixir-nodejs/pull/105). Organizations unable to upgrade immediately should implement compensating controls including request rate limiting to reduce concurrent load, session-specific data validation layers to detect cross-user data leakage, and enhanced monitoring for anomalous data access patterns. For critical environments, consider temporarily isolating worker processes per user session or implementing additional request-response correlation at the application layer until patching is complete.

Share

CVE-2026-33872 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy