Node.js Module Resolution Flaw: A Windows LPE Nightmare

Pentesting News has highlighted a persistent design flaw within Node.js’s module resolution mechanism on Windows, which continues to pose a significant local privilege escalation (LPE) risk. The issue stems from Node.js’s default behavior of checking for packages in C:\node_modules during its module search path. Because low-privileged users can create this directory and populate it with malicious modules, any Node.js application that has missing or optional dependencies becomes a potential target for attackers seeking to escalate their privileges.

This isn’t a new revelation; discussions around Node.js’s module search path have been ongoing since 2013-2014. Node.js maintainers have historically considered this behavior intentional, stating, “Node.js trusts the file system,” and do not classify it as a vulnerability like CWE-427 (Uncontrolled Search Path Element). Instead, they place the onus on application developers to secure their code against this potential abuse.

Pentesting News points to this stance as having dangerous real-world consequences. Developers often remain unaware of this attack surface, leading to widespread exploitable applications. While specific examples like npm CLI and the Discord desktop app (CVE-2026-0776, reportedly unpatched) are cited, it’s highly probable that numerous other Node.js applications are susceptible to LPE attacks via this module resolution quirk.