Skip to content

Add --allow-env flag to Permission Model for restricting environment variable access #62424

New issue
New issue
Open
Feature
Open
Add --allow-env flag to Permission Model for restricting environment variable access#62424
Feature
Labels
feature requestIssues that request new features to be added to Node.js.
@himself65

Description

@himself65
himself65
opened on Mar 24, 2026

What is the problem this feature will solve?

The Node.js Permission Model (stable as of v23.5.0) allows restricting access to the filesystem, network, child processes, and worker threads — but there is currently no way to restrict a process's access to environment variables.

This is a growing practical security concern. When running third-party code — such as MCP (Model Context Protocol) servers, CLI tools via npx, or untrusted npm packages — the process inherits the full environment of the parent shell, which often contains sensitive secrets:

OPENAI_API_KEY=sk-...
DATABASE_URL=postgres://...
AWS_SECRET_ACCESS_KEY=...
ANTHROPIC_API_KEY=sk-ant-...

Context: https://x.com/hnykda/status/2036414330267193815

Any package you run can silently exfiltrate these via process.env with no indication to the user.

What is the feature you are proposing to solve the problem?

Add an --allow-env flag to the Permission Model, mirroring Deno's implementation:

# Block all env var access
node --permission script.js

# Allow all env vars
node --permission --allow-env script.js

# Allow only specific env vars
node --permission --allow-env=PORT,NODE_ENV script.js

Attempts to read a disallowed variable via process.env would throw ERR_ACCESS_DENIED, consistent with other permission violations.

Runtime checking would be available via:

process.permission.has('env');
process.permission.has('env', 'PORT');

What alternatives have you considered?

The rise of agentic AI tooling (MCP servers, AI CLI agents, etc.) means developers are increasingly running third-party Node.js processes inside their development environments, where shells are pre-loaded with sensitive credentials. This is a meaningful and growing attack surface.

Deno has had this since v1.9. The prior discussion in nodejs/security-wg#993 raised concerns about complexity, but the threat model has materially changed since 2023.

Prior Art

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature requestIssues that request new features to be added to Node.js.

    Type

    Feature

    Projects

    Node.js feature requests

    Status

    Awaiting Triage

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions