CVE-2026-21716 in Node.jsinformation

Résumé (Anglaise)

An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.

As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.

This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Responsable

hackerone

Réserver

04/01/2026

Divulgation

30/03/2026

Statut

Confirmé

Entrées

VulDB provides additional information and datapoints for this CVE:

IDVulnérabilitéCWEExpConCVE
354281Node.js Promises API FileHandle.chown déni de service769Non définiCorrectif officielCVE-2026-21716

Description

CPE

CWE

CVSS

Exploits

Histoire

Diff

Relier

Renseignements sur les menaces

API JSON

API XML

API CSV

Sources

PrécédentAperçuSuivant

Might our Artificial Intelligence support you?

Check our Alexa App!