From aee42759c31990ce24b365a0fd162682b7c7156e Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Sat, 27 Dec 2025 20:55:59 -0300 Subject: [PATCH 1/2] doc: clarify threat model for application-level API exposure Add examples of non-vulnerabilities when applications expose Node.js APIs to untrusted users without proper security boundaries. --- SECURITY.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index a641148bcea04d..95764fb1999042 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -309,6 +309,32 @@ the community they pose. Node.js releases won't be affected by such vulnerabilities. Users are responsible for keeping the software they use through Corepack up-to-date. +#### Exposing Application-Level APIs to Untrusted Users (CWE-653) + +* Node.js trusts the application code that uses its APIs. When application code + exposes Node.js functionality to untrusted users in an unsafe manner, any + resulting crashes, data corruption, or other issues are not considered + vulnerabilities in Node.js itself. It is the application's responsibility to: + * Validate and sanitize all untrusted input before passing it to Node.js APIs. + * Design appropriate access controls and security boundaries. + * Avoid exposing low-level or dangerous APIs directly to untrusted users. + +* Examples of scenarios that are **not** Node.js vulnerabilities: + * Allowing untrusted users to register SQLite user-defined functions that can + perform arbitrary operations (e.g., closing database connections during query + execution, causing crashes or use-after-free conditions). + * Exposing `child_process.exec()` or similar APIs to untrusted users without + proper input validation, allowing command injection. + * Allowing untrusted users to control file paths passed to filesystem APIs + without validation, leading to path traversal issues. + * Permitting untrusted users to define custom code that executes with the + application's privileges (e.g., custom transforms, plugins, or callbacks). + +* These scenarios represent application-level security issues, not Node.js + vulnerabilities. The root cause is the application's failure to establish + proper security boundaries between trusted application logic and untrusted + user input. + ## Assessing experimental features reports Experimental features are eligible for security reports just like any other From 80ab3c747ab5a1dcf69c73270baff3fc4461bc9c Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Sat, 27 Dec 2025 21:38:25 -0300 Subject: [PATCH 2/2] fixup! doc: clarify threat model for application-level API exposure --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 95764fb1999042..2270a0161feb89 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -325,7 +325,7 @@ the community they pose. execution, causing crashes or use-after-free conditions). * Exposing `child_process.exec()` or similar APIs to untrusted users without proper input validation, allowing command injection. - * Allowing untrusted users to control file paths passed to filesystem APIs + * Allowing untrusted users to control file paths passed to file system APIs without validation, leading to path traversal issues. * Permitting untrusted users to define custom code that executes with the application's privileges (e.g., custom transforms, plugins, or callbacks).