Rafaelgss

**Name of the Vulnerable Software and Affected Versions** Node.js (affected versions not specified) **Description** A flaw in Node.js URL processing can lead to an assertion failure in native code when the `url.format()` function is invoked with a malformed internationalized domain name (IDN) containing invalid characters. This results in a crash of the Node.js process. The issue occurs when processing internationalized domain names with invalid characters. The vulnerable function is `url.format()`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Node.js versions 20.x **Description** The use of the deprecated API `process.binding()` can bypass the permission model through path traversal, potentially allowing a remote attacker to bypass security restrictions and gain unauthorized access to protected information. This issue affects users of the experimental permission model in Node.js. **Recommendations** For Node.js versions 20.x, consider disabling the use of the `process.binding()` API until a patch is available to prevent potential exploitation. Restrict access to sensitive information and directories to minimize the risk of unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Node.js version 20 **Description** A flaw in the experimental permission model of Node.js version 20 allows malicious actors to retrieve stats from files they do not have explicit read access to when the --allow-fs-read flag is used with a non-* argument. This issue arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API. **Recommendations** For Node.js version 20, consider disabling the experimental permission model or restricting the use of the `fs.statfs` API until a patch is available. Avoid using the --allow-fs-read flag with non-* arguments to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.