3.3
/ 10
LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.
As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.
This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.
As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.
This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.
Basic Information
ID
CVE-2026-21715
Source
hackerone
Published
Mar 30, 2026 at 19:07
Modified
Apr 1, 2026 at 15:02
Affected Product
Vendor
nodejs
Product
node
Version
20.20.1
Affected Versions
nodejs node 20.20.1
nodejs node 22.22.1
nodejs node 24.14.0
nodejs node 25.8.1
nodejs node 4.0
nodejs node 5.0
nodejs node 6.0
nodejs node 7.0
nodejs node 8.0
nodejs node 9.0
nodejs node 10.0
nodejs node 11.0
nodejs node 12.0
nodejs node 13.0
nodejs node 14.0
nodejs node 15.0
nodejs node 16.0
nodejs node 17.0
nodejs node 18.0
nodejs node 19.0
nodejs node 22.22.1
nodejs node 24.14.0
nodejs node 25.8.1
nodejs node 4.0
nodejs node 5.0
nodejs node 6.0
nodejs node 7.0
nodejs node 8.0
nodejs node 9.0
nodejs node 10.0
nodejs node 11.0
nodejs node 12.0
nodejs node 13.0
nodejs node 14.0
nodejs node 15.0
nodejs node 16.0
nodejs node 17.0
nodejs node 18.0
nodejs node 19.0