CVE-2024-21896

Name of the Vulnerable Software and Affected Versions Node.js versions 20 through 21

Description The issue is related to the permission model in Node.js, which is an experimental feature. It protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model.

Recommendations For Node.js versions 20 through 21, consider disabling the experimental permission model until a patch is available. As a temporary workaround, avoid using the Buffer.prototype.utf8Write function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.