AIKIDO-2026-10033
node is vulnerable to Improper Access Control
50
Medium Risk
This Affects:
nodeTL;DR
Affected versions of the package allow a permissions bypass in the Node.js permission model, where Unix Domain Socket (UDS) connections are not properly restricted when --permission is enabled. Even without --allow-net, attacker-controlled inputs such as URLs or socketPath options can be used with net, tls, or undici/fetch to connect to arbitrary local sockets. This breaks the intended security boundary, enabling unauthorized access to privileged local services and potentially leading to privilege escalation, data exposure, or local code execution.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
node is vulnerable to Improper Access Control in versions 25.0.0 - 25.2.0, 23.0.0 - 24.12.0, 21.0.0 - 22.21.1 and 0.0.1 - 20.19.6.
How to fix this
Upgrade the node library to a patch version.
Links
nodejs.org/en/blog/vulnerability/december-2025-security-releases#nodejs-permission-model-bypass-via-unchecked-unix-domain-socket-connections-uds-cve-2026-21636---mediumnodejs.org/en/blog/vulnerability/december-2025-security-releases
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant