CVE-2026-21715Incorrect Permission Assignment in Node

CWE-732Incorrect Permission AssignmentCWE-425Forced Browsing9 documents8 sources
Severity
3.3LOWNVD
EPSS
0.0%
top 99.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
NodejsNodejs Node
Timeline
PublishedMar 30

Description

A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages3 packages

CVEListV5nodejs/node4.04.*+19
Alpinenodejs/nodejs< 22.22.2-r0+2
Debiannodejs/nodejs< 20.19.2+dfsg-1+deb13u2+1

🔴Vulnerability Details

4
CVEList
CVE-2026-21715: A flaw in Node2026-03-30
GHSA
GHSA-8jgr-5cgv-g667: A flaw in Node2026-03-30
OSV
CVE-2026-21715: A flaw in Node2026-03-30
OSV
CVE-2026-21715: A flaw in Node2026-03-30

📋Vendor Advisories

2
Red Hat
Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions2026-03-30
Debian
CVE-2026-21715: nodejs - A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSyn...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-21715 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-21715 Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions2026-03-30
CVE-2026-21715 — Incorrect Permission Assignment | cvebase