EUVD-2026-17178

| CVE-2026-21715 LOW
2026-03-30 hackerone
3.3
CVSS 3.0

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 30, 2026 - 19:30 vuln.today
EUVD ID Assigned
Mar 30, 2026 - 19:30 euvd
EUVD-2026-17178
CVE Published
Mar 30, 2026 - 19:07 nvd
LOW 3.3

Tags

Node.js Information Disclosure

Description

A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.

Analysis

Node.js Permission Model enforcement in versions 20.x, 22.x, 24.x, and 25.x fails to validate read permissions for fs.realpathSync.native(), allowing local authenticated processes running under --permission with restricted --allow-fs-read to enumerate filesystem paths, check file existence, and resolve symlink targets outside permitted directories. This information disclosure vulnerability bypasses sandbox restrictions intentionally configured by administrators and affects multiple stable and current Node.js release series.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

17
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +16
POC: 0

Vendor Status

Ubuntu

Priority: Medium
nodejs
Release Status Version
trusty needs-triage -
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
questing needs-triage -
upstream released 22.22.2+dfsg+~cs22.19.15-1

Debian

nodejs
Release Status Fixed Version Urgency
bullseye vulnerable 12.22.12~dfsg-1~deb11u4 -
bullseye (security) vulnerable 12.22.12~dfsg-1~deb11u7 -
bookworm, bookworm (security) vulnerable 18.20.4+dfsg-1~deb12u1 -
trixie fixed 20.19.2+dfsg-1+deb13u2 -
trixie (security) fixed 20.19.2+dfsg-1+deb13u2 -
forky vulnerable 22.22.1+dfsg+~cs22.19.15-1 -
sid fixed 22.22.2+dfsg+~cs22.19.15-1 -
(unstable) fixed 22.22.2+dfsg+~cs22.19.15-1 -
DSA-6183-1

Share

EUVD-2026-17178 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy