CVE-2026-33872: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in revelrylabs elixir-nodejs
elixir-nodejs provides an Elixir API for calling Node.js functions. A vulnerability in versions prior to 3.1.4 results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol. The lack of request-response correlation creates a "stale response" vulnerability. Because the worker does not verify which request a response belongs to, it may return the next available data in the buffer to an unrelated caller. In high-throughput environments where the library processes sensitive user data (e.g., PII, authentication tokens, or private records), a timeout or high concurrent load can cause Data A (belonging to User A) to be returned to User B. This may lead to unauthorized information disclosure that is difficult to trace, as the application may not throw an error but instead provide "valid-looking" yet entirely incorrect and private data to the wrong session. The issue is fixed in v3.1.4.
AI Analysis
Technical Summary
The vulnerability in elixir-nodejs arises from a race condition (CWE-362) in the worker protocol that lacks request-response correlation. When multiple requests are processed concurrently, the worker may return a stale or unrelated response to a caller, resulting in cross-user data leakage. This flaw affects versions before 3.1.4 and can expose sensitive user data in high-throughput environments. The problem is resolved by the official fix in version 3.1.4.
Potential Impact
This vulnerability can cause unauthorized information disclosure by returning sensitive data from one user session to another. The leaked data may include personally identifiable information, authentication tokens, or private records. Because the application may not detect or report errors, the data leakage can be silent and difficult to trace, increasing the risk of privacy violations and potential compliance issues.
Mitigation Recommendations
An official fix is available in elixir-nodejs version 3.1.4. Users should upgrade to this version or later to remediate the vulnerability. No other mitigation steps are indicated by the vendor advisory.
CVE-2026-33872: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in revelrylabs elixir-nodejs
Description
elixir-nodejs provides an Elixir API for calling Node.js functions. A vulnerability in versions prior to 3.1.4 results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol. The lack of request-response correlation creates a "stale response" vulnerability. Because the worker does not verify which request a response belongs to, it may return the next available data in the buffer to an unrelated caller. In high-throughput environments where the library processes sensitive user data (e.g., PII, authentication tokens, or private records), a timeout or high concurrent load can cause Data A (belonging to User A) to be returned to User B. This may lead to unauthorized information disclosure that is difficult to trace, as the application may not throw an error but instead provide "valid-looking" yet entirely incorrect and private data to the wrong session. The issue is fixed in v3.1.4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in elixir-nodejs arises from a race condition (CWE-362) in the worker protocol that lacks request-response correlation. When multiple requests are processed concurrently, the worker may return a stale or unrelated response to a caller, resulting in cross-user data leakage. This flaw affects versions before 3.1.4 and can expose sensitive user data in high-throughput environments. The problem is resolved by the official fix in version 3.1.4.
Potential Impact
This vulnerability can cause unauthorized information disclosure by returning sensitive data from one user session to another. The leaked data may include personally identifiable information, authentication tokens, or private records. Because the application may not detect or report errors, the data leakage can be silent and difficult to trace, increasing the risk of privacy violations and potential compliance issues.
Mitigation Recommendations
An official fix is available in elixir-nodejs version 3.1.4. Users should upgrade to this version or later to remediate the vulnerability. No other mitigation steps are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T15:10:05.679Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c6e53a3c064ed76fede072
Added to database: 3/27/2026, 8:14:50 PM
Last enriched: 4/4/2026, 10:58:47 AM
Last updated: 5/12/2026, 2:07:15 AM
Views: 90
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.