A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase.
When Node.js is run with the `--permission` flag, the permission model should block unauthorized network connections. However, an attacker can supply controlled input data (e.g., a URL or `socketPath` option) that establishes connections to arbitrary local UDS sockets via the `net`, `tls`, or `undici`/`fetch` modules. The Unix Domain Socket mechanism is not covered by the access control enforced by `--allow-net`, resulting in a breach of the intended security boundary of the permission model. This allows communication with privileged local services accessible only through UDS.
An attacker can gain unauthorized access to privileged local services, which may result in privilege escalation, disclosure of sensitive data, or local code execution (RCE/LPE).
Patches available from the vendor should be applied according to the references (https://nodejs.org/en/blog/vulnerability/december-2025-security-releases). Until updating, avoid passing untrusted input data as URLs or `socketPath` in applications running with the `--permission` flag, and restrict access to environments using Node.js v25.
Node.js version v25 with the permission model enabled (the `--permission` flag). Affects environments running on Unix/Linux systems that use Unix Domain Sockets.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HNode.js
APPNodejs25.0.0 – 25.3.0 (bez)
Related vulnerabilities
Node.js TLS: błąd obsługi hostname z null-bajtem prowadzi do przekierowania authority
Obejście modelu uprawnień w Node.js poprzez spreparowane symlinki
Command injection w aplikacjach Windows korzystających z CreateProcess
Path traversal w Permission Model Node.js przez monkey-patching Buffer
Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js envir...