<Vulnerability name="CVE-2026-48935">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Low</ThreatSeverity>
    <PublicDate>2026-06-26T01:14:36</PublicDate>
    <Bugzilla id="2493329" url="https://bugzilla.redhat.com/show_bug.cgi?id=2493329" xml:lang="en:us">
nodejs: Node.js: Unauthorized file metadata modification
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>3.3</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-279</CWE>
    <Details xml:lang="en:us" source="Mitre">
A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`.

This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Node.js. The Permission API allows a local user to modify file metadata on paths that have been explicitly set as read-only. This can lead to unauthorized changes in file properties, impacting the integrity of the file system.
    </Details>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <AffectedRelease cpe="cpe:/o:redhat:enterprise_linux:10.2">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <ReleaseDate>2026-07-06T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:35841">RHSA-2026:35841</Advisory>
        <Package name="nodejs24">nodejs24-1:24.18.0-1.el10_2</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/o:redhat:enterprise_linux:10.2">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <ReleaseDate>2026-07-06T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:35842">RHSA-2026:35842</Advisory>
        <Package name="nodejs22">nodejs22-1:22.23.1-2.el10_2</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <ReleaseDate>2026-07-15T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:39868">RHSA-2026:39868</Advisory>
        <Package name="nodejs:24">nodejs:24-8100020260630152626.6d880403</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <ReleaseDate>2026-07-06T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:35891">RHSA-2026:35891</Advisory>
        <Package name="nodejs:24">nodejs:24-9080020260626074955.rhel9</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <ReleaseDate>2026-07-06T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:35892">RHSA-2026:35892</Advisory>
        <Package name="nodejs:22">nodejs:22-9080020260626075442.rhel9</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-06-30T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:33866">RHSA-2026:33866</Advisory>
        <Package name="nodejs26-main">nodejs26-main-26.4.0-1.3.hum1</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-07-01T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:34478">RHSA-2026:34478</Advisory>
        <Package name="nodejs24-main">nodejs24-main-24.18.0-0.2.hum1</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-07-03T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:35272">RHSA-2026:35272</Advisory>
        <Package name="nodejs22-main">nodejs22-main-22.23.1-2.hum1</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-04-10T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:7378">RHSA-2026:7378</Advisory>
        <Package name="nodejs25-main">nodejs25-main-25.9.0-1.1.hum1</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-04-21T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:9455">RHSA-2026:9455</Advisory>
        <Package name="nodejs20-main">nodejs20-main-20.20.2-1.hum1</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>nodejs</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-48935
https://nvd.nist.gov/vuln/detail/CVE-2026-48935
https://nodejs.org/en/blog/vulnerability/june-2026-security-releases
    </References>
</Vulnerability>