Low

Node.js Permission Model bypass in fs.realpathSync.native()

IdentifiersCVE-2026-21715CWE-863

CVE-2026-21715 is a low-severity information disclosure vulnerability in the Node.js Permission Model. In affected Node.js 20.x, 22.x, 24.x, and 25.x releases, the filesystem API fs.realpathSync.native() does not enforce the expected read permission checks when a process is started with --permission and restricted --allow-fs-read settings. While comparable filesystem functions correctly honor the configured read restrictions, fs.realpathSync.native() can still be invoked to resolve paths outside the permitted read scope. This allows untrusted or constrained code to test whether files exist, resolve symlink targets, and enumerate filesystem paths beyond directories explicitly allowed by the Permission Model.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in information disclosure rather than direct code execution or privilege escalation. An attacker able to run JavaScript within a Node.js process configured with the Permission Model can bypass intended filesystem read restrictions to infer the existence of files and directories outside approved paths, resolve symlink destinations, and gather filesystem layout information. This can expose sensitive environmental details useful for follow-on attacks, policy bypass, or discovery of secrets stored in otherwise inaccessible locations.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, avoid relying on the Node.js Permission Model alone to isolate untrusted code from filesystem metadata disclosure. Do not execute untrusted JavaScript in processes where sensitive filesystem paths are reachable from the host namespace. Where feasible, use stronger isolation boundaries such as containers, separate hosts, chroot-like confinement, or OS-level sandboxing, and minimize exposure of sensitive files and symlink structures to the runtime environment until patched versions can be deployed.

Remediation

Patch, then assume compromise.

Upgrade Node.js to a patched release that fixes CVE-2026-21715. The provided context identifies patched versions as Node.js v20.20.2, v22.22.2, v24.14.1, and v25.8.2. Organizations should update affected 20.x, 22.x, 24.x, and 25.x deployments using the Permission Model, especially where --allow-fs-read is intentionally restricted to sandbox untrusted code.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

NodejsNodejsapplication

Rocky LinuxNodejs24application

Rocky LinuxRocky Linuxoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

thecyberexpress com vulnerabilitiesNews

Mar 26, 2026

Node.js Fixes CVE-2026-21637 And Critical Flaws Now

A low-severity Node.js Permission Model issue where fs.realpathSync.native() bypasses read permission checks and can disclose file existence.

cyber security newsNews

Mar 25, 2026

Node.js Patches Multiple Vulnerabilities That Enable DoS Attacks and Process Crashes - Cyber Security News

A low-severity Node.js permission model bypass that allows filesystem path disclosure outside permitted directories via fs.realpathSync.native().

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-21715

NVD

nvd.nist.gov/vuln/detail/CVE-2026-21715

MITRE CWE · CWE-863

cwe.mitre.org

nodejs.org

nodejs.org/en/blog/vulnerability/march-2026-security-releases