CVE-2026-21716 in Node.js
要約 (英語)
An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.
As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.
This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
責任者
hackerone
予約する
2026年01月04日
公開
2026年03月30日
ステータス
確認済み
エントリ
VulDB provides additional information and datapoints for this CVE:
| 識別子 | 脆弱性 | CWE | 悪用可 | 対策 | CVE |
|---|---|---|---|---|---|
| 354281 | Node.js Promises API FileHandle.chown サービス拒否 | 769 | 未定義 | 公式な修正 | CVE-2026-21716 |