Node.js Trust Falls: Dangerous Module Resolution on Windows
The blog details a local privilege escalation vulnerability affecting Node.js applications on Windows, arising from its module resolution behavior. Node.js searches for modules in C:\node_modules by default, allowing attackers to create this directory. Malicious modules placed there can be executed within the context of a user running an application. The issue stems from Node.js's stance of "trusting the file system", considering it intentional behavior. This negligence transforms optional dependencies into a dangerous attack vector. npm CLI and Discord are demonstrated as vulnerable, exploiting missing optional dependencies. The npm CLI vulnerability, CVE-2026-0775, leverages a missing "bluebird" package. Discord, through CVE-2026-0776, is vulnerable due to a missing "utf-8-validate" dependency, and remains unpatched. These vulnerabilities are triggered when launching the applications, without user interaction. Node.js, npm, and Discord do not consider this a valid security issue. The blog encourages researchers to investigate more applications for similar vulnerabilities.
C:\node_modulesby default, allowing attackers to create this directory. Malicious modules placed there can be executed within the context of a user running an application. The issue stems from Node.js's stance of "trusting the file system", considering it intentional behavior. This negligence transforms optional dependencies into a dangerous attack vector. npm CLI and Discord are demonstrated as vulnerable, exploiting missing optional dependencies. The npm CLI vulnerability, CVE-2026-0775, leverages a missing "bluebird" package. Discord, through CVE-2026-0776, is vulnerable due to a missing "utf-8-validate" dependency, and remains unpatched. These vulnerabilities are triggered when launching the applications, without user interaction. Node.js, npm, and Discord do not consider this a valid security issue. The blog encourages researchers to investigate more applications for similar vulnerabilities.