CVE-2026-21715: A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable…

low3.3CVSS 3.0

AVLACLPRLUINSUCLINAN

A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.

Affected

26 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	nodejs	< nodejs 22.22.2+dfsg+~cs22.19.15-1 (forky)	nodejs 22.22.2+dfsg+~cs22.19.15-1 (forky)
nodejs	node	>= 10.0 < 10.*	10.*
nodejs	node	>= 11.0 < 11.*	11.*
nodejs	node	>= 12.0 < 12.*	12.*
nodejs	node	>= 13.0 < 13.*	13.*
nodejs	node	>= 14.0 < 14.*	14.*
nodejs	node	>= 15.0 < 15.*	15.*
nodejs	node	>= 16.0 < 16.*	16.*
nodejs	node	>= 17.0 < 17.*	17.*
nodejs	node	>= 18.0 < 18.*	18.*
nodejs	node	>= 19.0 < 19.*	19.*
nodejs	node	20.20.1 – 20.20.1	—
nodejs	node	22.22.1 – 22.22.1	—
nodejs	node	24.14.0 – 24.14.0	—
nodejs	node	25.8.1 – 25.8.1	—
nodejs	node	>= 4.0 < 4.*	4.*
nodejs	node	>= 5.0 < 5.*	5.*
nodejs	node	>= 6.0 < 6.*	6.*
nodejs	node	>= 7.0 < 7.*	7.*
nodejs	node	>= 8.0 < 8.*	8.*
nodejs	node	>= 9.0 < 9.*	9.*
nodejs	nodejs	>= 0 < 22.22.2-r0	22.22.2-r0
nodejs	nodejs	>= 0 < 22.22.2-r0	22.22.2-r0
nodejs	nodejs	>= 0 < 24.14.1-r0	24.14.1-r0
nodejs	nodejs	>= 0 < 20.19.2+dfsg-1+deb13u2	20.19.2+dfsg-1+deb13u2

CVSS provenance

nvdv3.03.3LOWCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

osv3.3LOW