Tniessen

**Name of the Vulnerable Software and Affected Versions** Node.js versions 20.x through 24.x **Description** Node.js is susceptible to a remote crash issue due to a flaw in the `SignTraits::DeriveBits()` function. This flaw can be triggered by malformed crypto input in background threads, leading to a denial-of-service condition. The issue arises from an incorrect call to `ThrowException()` based on user-supplied inputs. Approximately 17 million systems are potentially affected. **Recommendations** Update Node.js to the latest version to address this issue.

Name of the Vulnerable Software and Affected Versions: Node.js (affected versions not specified) Description: The issue is related to the Permission Model in Node.js, which incorrectly assumes that any path starting with two backslashes has a four-character prefix that can be ignored. This subtle bug leads to vulnerable edge cases. The vulnerability is associated with errors in processing input data and can be exploited by a remote attacker to impact data integrity. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Node.js versions 20 through 21 **Description** The issue is related to the Node.js Permission Model, which has misleading documentation regarding the use of wildcards in file paths. Specifically, the documentation does not clarify that wildcards should only be used as the last character of a file path. For example, the command `--allow-fs-read=/home/node/.ssh/*.pub` will ignore `pub` and give access to everything after `.ssh/`. This affects all users using the experimental permission model in the affected Node.js versions. **Recommendations** For Node.js versions 20 through 21, consider avoiding the use of wildcards in file paths until the documentation is clarified or updated. As a temporary workaround, ensure that wildcards are only used as the last character of a file path to prevent unintended access. Restrict access to sensitive files and directories to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Node.js (affected versions not specified) **Description** The issue is related to incorrect management of code generation in Node.js, allowing unprivileged users to inject code that inherits the process's elevated privileges due to a bug in the implementation of an exception for CAP NET BIND SERVICE. This can lead to code injection and privilege escalation on Linux systems. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Node.js versions 20 through 21 **Description** The issue is related to the permission model in Node.js, which is an experimental feature. It protects itself against path traversal attacks by calling `path.resolve()` on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses `Buffer.from()` to obtain a Buffer from the result of `path.resolve()`. By monkey-patching `Buffer` internals, namely, `Buffer.prototype.utf8Write`, the application can modify the result of `path.resolve()`, which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model. **Recommendations** For Node.js versions 20 through 21, consider disabling the experimental permission model until a patch is available. As a temporary workaround, avoid using the `Buffer.prototype.utf8Write` function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Node.js versions 18.x through 20.x **Description** The issue arises when the Node.js policy feature checks the integrity of a resource against a trusted manifest. An application can intercept this operation and return a forged checksum to the node's policy implementation, effectively disabling the integrity check. This affects users of the experimental policy mechanism in active release lines. **Recommendations** For Node.js versions 18.x through 20.x, consider disabling the experimental policy mechanism until a fix is available. As a temporary workaround, restrict access to the policy feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Node.js (affected versions not specified) **Description** The issue is related to incorrect restriction of directory path names with limited access. Exploitation of this issue may allow an attacker to access confidential information. The problem involves `node:fs` functions that can specify paths as either strings or `Uint8Array` objects, and in Node.js environments, the `Buffer` class extends the `Uint8Array` class. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Node.js (affected versions not specified) **Description** The issue arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations, leading to a path traversal vulnerability. This vulnerability is related to an insufficient patch of a previously disclosed issue. The permission model, which is an experimental feature of Node.js, is involved in this vulnerability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Node.js version 20 **Description** A privilege escalation issue exists due to insufficient access control in the crypto.setEngine() method of Node.js. This can be exploited by a remote attacker to bypass existing security restrictions. The attack complexity is high. The crypto.setEngine() API can be used to bypass the permission model when called with a compatible OpenSSL engine. The OpenSSL engine can disable the permission model in the host process by manipulating the process's stack memory to locate the permission model `Permission::enabled ` in the host process's heap memory. **Recommendations** For Node.js version 20, as a temporary workaround, consider disabling the `crypto.setEngine()` function until a patch is available. Restrict access to the experimental permission model to minimize the risk of exploitation. Avoid using the `crypto.setEngine()` API with compatible OpenSSL engines until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.