CVE-2026-21636 is a vulnerability discovered in Node.js version 25.2.1 that impacts the experimental permission model controlling network access via the --allow-net flag. The flaw arises because Unix Domain Socket (UDS) connections are not properly restricted by the permission model. Even when network access is disabled (i.e., --allow-net is not enabled), attacker-controlled inputs such as URLs or socketPath options passed to Node.js APIs like net, tls, or undici/fetch can establish connections to arbitrary local sockets. This bypasses the intended network restrictions and breaks the security boundary designed to isolate network access. The consequence is that an attacker with the ability to supply these inputs can connect to privileged local services running on the same host via UDS, potentially leading to privilege escalation, unauthorized data access, or local code execution. The vulnerability does not require prior authentication or user interaction, increasing its risk. However, it only affects the experimental permission model in Node.js v25.2.1, which is not yet widely adopted in production environments. No public exploits have been reported so far. The issue highlights the challenges of securing fine-grained permission models in runtime environments and the need for careful validation of local IPC mechanisms like UDS when enforcing network restrictions.

For European organizations, this vulnerability poses a risk primarily to environments running Node.js version 25.2.1 with the experimental permission model enabled. Organizations using Node.js in development or production that rely on local Unix Domain Sockets for inter-process communication could have their local services exposed to unauthorized access. This exposure could lead to privilege escalation if attackers leverage access to privileged sockets, data leakage from sensitive local services, or even local code execution if the attacker can manipulate socket communications. The impact is heightened in multi-tenant or shared hosting environments common in European cloud providers, where isolation between services is critical. Additionally, sectors with high reliance on Node.js for backend services, such as financial services, telecommunications, and government infrastructure, could face operational disruptions or data breaches. While the vulnerability does not affect availability directly, the confidentiality and integrity of local services are at risk. The medium CVSS score reflects the moderate ease of exploitation combined with limited scope due to the experimental nature of the permission model.

1. Avoid deploying Node.js version 25.2.1 with the experimental permission model enabled in production environments until an official patch is released. 2. If usage is necessary, restrict access to local Unix Domain Sockets by applying strict filesystem permissions and access controls to limit which processes and users can interact with these sockets. 3. Monitor and audit local socket connections for unusual or unauthorized access patterns using host-based intrusion detection systems or custom logging. 4. Implement application-level validation to sanitize and restrict attacker-controlled inputs that specify socket paths or URLs to prevent arbitrary socket connections. 5. Keep Node.js installations up to date and apply security patches promptly once available. 6. Consider isolating critical local services in containers or sandboxes to limit the impact of potential socket-based attacks. 7. Educate developers about the risks of using experimental permission models and encourage adherence to security best practices when handling IPC mechanisms. 8. Engage with Node.js security advisories and community channels to track updates on this vulnerability and related fixes.