THE Zero Day Initiative’s Node[.]js Trust Falls report exposes a Windows-specific privilege escalation risk tied to how Node[.]js resolves modules, with CVE-2026-0776 described as a 0-day affecting the Discord desktop app. The analysis explains that Node[.]js searches for modules up the filesystem, including C:\node_modules, which any low-privilege Windows user can create, enabling a malicious replacement to be loaded when a require call is issued.
Case studies cover npm CLI (CVE-2026-0775) and Discord, showing how missing optional dependencies can trigger execution of attacker-controlled files during common commands or app launches. The report notes that both npm and Discord have stated they do not treat local attacks as security issues, and cites Node[.]js’s policy that “Node[.]js trusts the file system” as a non-vulnerability stance.
It concludes that the burden to mitigate rests with application developers until a fix is offered, highlighting that many other applications built on Node[.]js could be affected on Windows where C:\node_modules is writable. according to Node[.]js security policy