{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/permission-model/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":5.3,"id":"CVE-2026-21711"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Node.js 25.x"],"_cs_severities":["medium"],"_cs_tags":["nodejs","permission model","uds","unix domain socket","ipc","cve-2026-21711"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Node.js"],"content_html":"\u003cp\u003eCVE-2026-21711 is a vulnerability in Node.js version 25.x related to the experimental permission model. Specifically, it involves a bypass of network restrictions when using Unix Domain Sockets (UDS). The vulnerability occurs because the permission model\u0026rsquo;s network enforcement mechanisms do not properly apply to UDS server operations. This means that code running with the \u003ccode\u003e--permission\u003c/code\u003e flag, but specifically without \u003ccode\u003e--allow-net\u003c/code\u003e (intended to restrict network access), can still create and expose local Inter-Process Communication (IPC) endpoints through UDS. This enables unauthorized communication with other processes on the same host, effectively circumventing the intended network isolation. This flaw is significant for environments relying on the Node.js permission model to isolate applications and prevent them from accessing network resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker deploys a Node.js application using Node.js 25.x with the \u003ccode\u003e--permission\u003c/code\u003e flag and intentionally omits the \u003ccode\u003e--allow-net\u003c/code\u003e flag to restrict network access.\u003c/li\u003e\n\u003cli\u003eThe application leverages the \u003ccode\u003enet\u003c/code\u003e module or a similar mechanism to create a Unix Domain Socket server. This operation should, in theory, be blocked by the permission model due to the missing \u003ccode\u003e--allow-net\u003c/code\u003e flag, but due to the vulnerability, the UDS server is created successfully.\u003c/li\u003e\n\u003cli\u003eThe attacker specifies a path for the UDS that allows other processes on the system to connect to it.\u003c/li\u003e\n\u003cli\u003eA separate, possibly malicious, process on the same host connects to the created UDS. This process could be under the attacker\u0026rsquo;s control or a compromised service.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s application and the connecting process establish a communication channel over the UDS.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this channel to send commands, data, or other instructions between the two processes, bypassing the intended network restrictions.\u003c/li\u003e\n\u003cli\u003eThe receiving process executes the commands or processes the data received, potentially leading to privilege escalation, data leakage, or other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining unauthorized access to system resources or compromising the integrity of the receiving process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-21711 can lead to a bypass of intended network isolation in Node.js applications. This may allow unauthorized processes to communicate with and potentially control isolated applications, leading to privilege escalation, data leakage, or other forms of compromise. The vulnerability affects Node.js 25.x processes utilizing the permission model. The number of affected installations is unknown, but the impact is potentially significant for environments relying on the permission model to restrict network access and isolate applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Node.js that addresses CVE-2026-21711 once available.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential exploitation attempts within your environment, focusing on process creation events when the \u003ccode\u003e--permission\u003c/code\u003e flag is enabled.\u003c/li\u003e\n\u003cli\u003eMonitor Node.js processes for suspicious UDS creation and connection activity using the \u003ccode\u003enetwork_connection\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eReview and harden the permission configurations of Node.js applications to prevent unintended access to sensitive resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-31T07:41:19Z","date_published":"2026-05-31T07:41:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-nodejs-uds-bypass/","summary":"CVE-2026-21711 allows code running under the Node.js permission model without network access to create and expose local IPC endpoints via Unix Domain Sockets, bypassing intended network restrictions and enabling inter-process communication.","title":"Node.js Permission Model Bypass via Unix Domain Sockets (CVE-2026-21711)","url":"https://feed.craftedsignal.io/briefs/2026-05-nodejs-uds-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Permission Model","version":"https://jsonfeed.org/version/1.1"}