{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/node.js-25.x/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":5.3,"id":"CVE-2026-21711"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Node.js 25.x"],"_cs_severities":["medium"],"_cs_tags":["nodejs","permission model","uds","unix domain socket","ipc","cve-2026-21711"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Node.js"],"content_html":"\u003cp\u003eCVE-2026-21711 is a vulnerability in Node.js version 25.x related to the experimental permission model. Specifically, it involves a bypass of network restrictions when using Unix Domain Sockets (UDS). The vulnerability occurs because the permission model\u0026rsquo;s network enforcement mechanisms do not properly apply to UDS server operations. This means that code running with the \u003ccode\u003e--permission\u003c/code\u003e flag, but specifically without \u003ccode\u003e--allow-net\u003c/code\u003e (intended to restrict network access), can still create and expose local Inter-Process Communication (IPC) endpoints through UDS. This enables unauthorized communication with other processes on the same host, effectively circumventing the intended network isolation. This flaw is significant for environments relying on the Node.js permission model to isolate applications and prevent them from accessing network resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker deploys a Node.js application using Node.js 25.x with the \u003ccode\u003e--permission\u003c/code\u003e flag and intentionally omits the \u003ccode\u003e--allow-net\u003c/code\u003e flag to restrict network access.\u003c/li\u003e\n\u003cli\u003eThe application leverages the \u003ccode\u003enet\u003c/code\u003e module or a similar mechanism to create a Unix Domain Socket server. This operation should, in theory, be blocked by the permission model due to the missing \u003ccode\u003e--allow-net\u003c/code\u003e flag, but due to the vulnerability, the UDS server is created successfully.\u003c/li\u003e\n\u003cli\u003eThe attacker specifies a path for the UDS that allows other processes on the system to connect to it.\u003c/li\u003e\n\u003cli\u003eA separate, possibly malicious, process on the same host connects to the created UDS. This process could be under the attacker\u0026rsquo;s control or a compromised service.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s application and the connecting process establish a communication channel over the UDS.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this channel to send commands, data, or other instructions between the two processes, bypassing the intended network restrictions.\u003c/li\u003e\n\u003cli\u003eThe receiving process executes the commands or processes the data received, potentially leading to privilege escalation, data leakage, or other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining unauthorized access to system resources or compromising the integrity of the receiving process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-21711 can lead to a bypass of intended network isolation in Node.js applications. This may allow unauthorized processes to communicate with and potentially control isolated applications, leading to privilege escalation, data leakage, or other forms of compromise. The vulnerability affects Node.js 25.x processes utilizing the permission model. The number of affected installations is unknown, but the impact is potentially significant for environments relying on the permission model to restrict network access and isolate applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Node.js that addresses CVE-2026-21711 once available.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential exploitation attempts within your environment, focusing on process creation events when the \u003ccode\u003e--permission\u003c/code\u003e flag is enabled.\u003c/li\u003e\n\u003cli\u003eMonitor Node.js processes for suspicious UDS creation and connection activity using the \u003ccode\u003enetwork_connection\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eReview and harden the permission configurations of Node.js applications to prevent unintended access to sensitive resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-31T07:41:19Z","date_published":"2026-05-31T07:41:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-nodejs-uds-bypass/","summary":"CVE-2026-21711 allows code running under the Node.js permission model without network access to create and expose local IPC endpoints via Unix Domain Sockets, bypassing intended network restrictions and enabling inter-process communication.","title":"Node.js Permission Model Bypass via Unix Domain Sockets (CVE-2026-21711)","url":"https://feed.craftedsignal.io/briefs/2026-05-nodejs-uds-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":5.9,"id":"CVE-2026-21717"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Node.js 20.x","Node.js 22.x","Node.js 24.x","Node.js 25.x"],"_cs_severities":["medium"],"_cs_tags":["dos","hash-collision","node.js"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-21717 is a vulnerability affecting Node.js versions 20.x, 22.x, 24.x, and 25.x. The flaw resides in the V8 JavaScript engine\u0026rsquo;s string hashing mechanism. When Node.js parses JSON, V8 internalizes short strings into a hash table. This vulnerability occurs because the hashing algorithm treats integer-like strings specially, hashing them to their numeric value. An attacker can exploit this by crafting JSON input containing a large number of distinct strings that happen to hash to the same value due to this predictable hashing behavior. This causes excessive hash collisions within V8\u0026rsquo;s internal string table, resulting in a significant performance degradation of the Node.js process, potentially leading to denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Node.js application that uses \u003ccode\u003eJSON.parse()\u003c/code\u003e to process user-supplied input.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a JSON payload containing a large number of strings.\u003c/li\u003e\n\u003cli\u003eThe crafted strings are chosen to be integer-like strings (e.g., \u0026ldquo;100\u0026rdquo;, \u0026ldquo;200\u0026rdquo;, \u0026ldquo;300\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eWhen the Node.js application calls \u003ccode\u003eJSON.parse()\u003c/code\u003e on the malicious payload, the V8 engine attempts to internalize these strings into its string table.\u003c/li\u003e\n\u003cli\u003eDue to the flawed hashing algorithm, these strings produce a large number of hash collisions.\u003c/li\u003e\n\u003cli\u003eThe excessive hash collisions cause the V8 engine to spend excessive time resolving these collisions.\u003c/li\u003e\n\u003cli\u003eThis increased processing time degrades the performance of the Node.js process, increasing CPU usage and response times.\u003c/li\u003e\n\u003cli\u003eThe Node.js application becomes unresponsive, effectively causing a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-21717 leads to a denial-of-service condition, potentially impacting all users of the affected Node.js application. The vulnerability affects Node.js versions 20.x, 22.x, 24.x, and 25.x, making a wide range of applications potentially vulnerable. There is no information about number of victims or sectors targeted from the provided source.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a fixed version of Node.js to remediate CVE-2026-21717.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect High Number of JSON Parse Operations\u003c/code\u003e to identify potential exploitation attempts by monitoring the number of \u003ccode\u003eJSON.parse()\u003c/code\u003e calls in a given timeframe.\u003c/li\u003e\n\u003cli\u003eRate limit requests to endpoints that handle JSON data to mitigate the impact of potential hash collision attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-31T07:41:03Z","date_published":"2026-05-31T07:41:03Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-21717-nodejs-hash-collision/","summary":"CVE-2026-21717 is a vulnerability in V8's string hashing mechanism within Node.js that allows attackers to cause hash collisions via predictable integer-like strings in JSON input, leading to denial-of-service by degrading the performance of the Node.js process.","title":"CVE-2026-21717 Node.js V8 Hash Collision Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-21717-nodejs-hash-collision/"}],"language":"en","title":"CraftedSignal Threat Feed — Node.js 25.x","version":"https://jsonfeed.org/version/1.1"}