Fluid Attacks Database

Description

A flaw was found in Node.js. The Node.js Permission Model, designed to restrict network access, incorrectly omits permission checks for Unix Domain Socket (UDS) server operations. This allows local code, even when explicitly denied network access, to create and expose inter-process communication (IPC) endpoints. As a result, unauthorized communication can occur between processes on the same host, bypassing the intended network security restrictions.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel9	nodejs	<1:24.14.1-2.module+el9.7.0+24166+51c9666b	1:24.14.1-2.module+el9.7.0+24166+51c9666b
rpm rhel8	nodejs	<1:24.14.1-2.module+el8.10.0+24190+49a46c75	1:24.14.1-2.module+el8.10.0+24190+49a46c75
rpm rhel10	nodejs24	<1:24.14.1-2.el10_1	1:24.14.1-2.el10_1

Aliases

1. CVE-2026-217112. NVD-2026-217113. OSV-2026-21711

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.