Module._load(), process.binding(), and path traversal attacks bypass the experimental permission model across v16–v20; update immediately if using --policy or permission flags.
July 9, 2026
Summary
If you rely on Node.js permission policies to sandbox untrusted code, these CVEs let attackers escape restrictions via internal APIs. Updates are available now for all active LTS lines.
Why it matters
If you rely on Node.js permission policies to sandbox untrusted code, these CVEs let attackers escape restrictions via internal APIs. Updates are available now for all active LTS lines.
Implementation verdict
Requires immediate patching to v16.20.2, v18.17.1, or v20.5.1 if you use --policy or --allow-fs-read flags in production. The permission model is experimental, so audit your threat model: if you're not actively using it, risk is low. If you are, this is not optional.
Sources
Dev Signal
Get briefs like this in your inbox — free, every weekday.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.