DEBIAN-CVE-2026-21715

DEBIAN-CVE-2026-21715 PUBLISHED CVSS 3.299999952316284 LOW

A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.

Risk Scores

CVSS v3.0

3.299999952316284

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected Products

Vendor	Product	Versions
Debian:13	nodejs	0, 20.19.2+dfsg-1, 20.19.2+dfsg-1+deb13u1
Debian:14	nodejs	20.19.5+dfsg+~cs20.19.24-1, 22.12.0+dfsg-1, 22.12.0+dfsg-2

Timeline

Mar 30, 2026 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-21715 advisory

Open in Interactive Console →