Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-21715
PUBLISHED
More InfoOfficial Page
Assigner-hackerone
Assigner Org ID-36234546-b8fa-4601-9d6f-f4e334aa8ea1
View Known Exploited Vulnerability (KEV) details
Published At-30 Mar, 2026 | 19:07
Updated At-01 Apr, 2026 | 15:02
Rejected At-
▼CVE Numbering Authority (CNA)

A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.

Affected Products
Vendor
Node.js (OpenJS Foundation)nodejs
Product
node
Default Status
unaffected
Versions
Affected
  • From 20.20.1 through 20.20.1 (semver)
  • From 22.22.1 through 22.22.1 (semver)
  • From 24.14.0 through 24.14.0 (semver)
  • From 25.8.1 through 25.8.1 (semver)
  • From 4.0 before 4.* (semver)
  • From 5.0 before 5.* (semver)
  • From 6.0 before 6.* (semver)
  • From 7.0 before 7.* (semver)
  • From 8.0 before 8.* (semver)
  • From 9.0 before 9.* (semver)
  • From 10.0 before 10.* (semver)
  • From 11.0 before 11.* (semver)
  • From 12.0 before 12.* (semver)
  • From 13.0 before 13.* (semver)
  • From 14.0 before 14.* (semver)
  • From 15.0 before 15.* (semver)
  • From 16.0 before 16.* (semver)
  • From 17.0 before 17.* (semver)
  • From 18.0 before 18.* (semver)
  • From 19.0 before 19.* (semver)
Metrics
VersionBase scoreBase severityVector
3.03.3LOW
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Version: 3.0
Base score: 3.3
Base severity: LOW
Vector:
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://nodejs.org/en/blog/vulnerability/march-2026-security-releases
N/A
Hyperlink: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-732CWE-732 Incorrect Permission Assignment for Critical Resource
Type: CWE
CWE ID: CWE-732
Description: CWE-732 Incorrect Permission Assignment for Critical Resource
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found