Описание
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.
As a result, code running under --permission without --allow-net can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.
This vulnerability affects Node.js 25.x processes using the Permission Model where --allow-net is intentionally omitted to restrict network access. Note that --allow-net is currently an experimental feature.
A flaw was found in Node.js. The Node.js Permission Model, designed to restrict network access, incorrectly omits permission checks for Unix Domain Socket (UDS) server operations. This allows local code, even when explicitly denied network access, to create and expose inter-process communication (IPC) endpoints. As a result, unauthorized communication can occur between processes on the same host, bypassing the intended network security restrictions.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | nodejs22 | Not affected | ||
| Red Hat Enterprise Linux 10 | nodejs24 | Not affected | ||
| Red Hat Enterprise Linux 8 | nodejs:20/nodejs | Not affected | ||
| Red Hat Enterprise Linux 8 | nodejs:22/nodejs | Not affected | ||
| Red Hat Enterprise Linux 8 | nodejs:24/nodejs | Not affected | ||
| Red Hat Enterprise Linux 9 | nodejs:20/nodejs | Not affected | ||
| Red Hat Enterprise Linux 9 | nodejs:22/nodejs | Not affected | ||
| Red Hat Enterprise Linux 9 | nodejs:24/nodejs | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.2 Medium
CVSS3
Связанные уязвимости
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary. This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary. This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.
A flaw in Node.js Permission Model network enforcement leaves Unix Dom ...
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary. This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.
EPSS
5.2 Medium
CVSS3