CVE-2026-47140: Node Module Denylist Bypass
Exact string matching against a denylist or allowlist of Node.js modules can be bypassed by using the `node:` URL scheme prefix or by requesting module subpaths (e.g., `module/subpath`). Ensure that module names are normalized by stripping the `node:` prefix and splitting on `/` to extract the core module name before checking the list.
greprules fetch cve-2026-47140-node-module-denylist-bypass --engine opengrepDescription
Exact string matching against a denylist or allowlist of Node.js modules can be bypassed by using the `node:` URL scheme prefix or by requesting module subpaths (e.g., `module/subpath`). Ensure that module names are normalized by stripping the `node:` prefix and splitting on `/` to extract the core module name before checking the list.
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.