The vulnerability identified as CVE-2026-33872 affects the elixir-nodejs library developed by revelrylabs, which provides an Elixir API to invoke Node.js functions. Versions prior to 3.1.4 suffer from a race condition (CWE-362) in the worker protocol responsible for handling request-response interactions. Specifically, the protocol lacks proper request-response correlation, meaning the worker does not verify that a response corresponds to the initiating request. Under conditions of high throughput, concurrency, or timeouts, this can cause the worker to return a stale or mismatched response from its buffer to an unrelated caller. Consequently, data belonging to one user (User A) may be inadvertently sent to another user (User B), resulting in unauthorized disclosure of sensitive information such as personally identifiable information (PII), authentication tokens, or private records. This flaw is particularly dangerous because the application may not detect or flag the error, instead delivering plausible but incorrect data, complicating detection and forensic analysis. The vulnerability has a CVSS 4.0 base score of 7.1 (high severity), reflecting its network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality. No known exploits are currently reported in the wild. The issue is resolved in elixir-nodejs version 3.1.4 by implementing proper synchronization and request-response correlation in the worker protocol to ensure responses are correctly matched to their originating requests.

This vulnerability poses a significant risk to organizations using elixir-nodejs in environments processing sensitive or private data. The unauthorized disclosure of confidential information such as PII, authentication tokens, or private records can lead to privacy violations, regulatory non-compliance (e.g., GDPR, HIPAA), reputational damage, and potential financial penalties. Because the flaw can cause data leakage silently without triggering errors, it complicates detection and incident response efforts. High-throughput or concurrent systems are especially vulnerable, increasing the likelihood of exposure in production environments. Attackers do not need to authenticate or interact with users to exploit this issue, enabling remote exploitation over the network. Although no exploits are currently known, the presence of a public CVE and high severity score increases the risk of future exploitation attempts. Organizations relying on elixir-nodejs for critical or sensitive applications must consider this vulnerability a serious threat to confidentiality and data integrity.

Organizations should immediately upgrade all deployments of elixir-nodejs to version 3.1.4 or later, where the vulnerability is fixed. Until upgrading, consider implementing strict request-response correlation at the application layer to detect and reject stale or mismatched responses. Employ runtime monitoring and logging to identify anomalous data leakage patterns or unexpected data returned to users. Limit concurrency and throughput where feasible to reduce the likelihood of race conditions triggering. Conduct thorough code reviews and testing of any custom integrations using elixir-nodejs to ensure proper synchronization and data isolation. Additionally, apply network segmentation and access controls to restrict exposure of services using this library. Finally, maintain an incident response plan that includes procedures for investigating potential data leakage incidents stemming from this vulnerability.