PT-2024-3905 · Node.Js+6 · Node.Js+6

Xion

Published

2024-02-16

Updated

2025-03-28

CVE-2024-21891

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Node.js versions 20 through 21

Description: The issue is related to the experimental permission model in Node.js, where user-defined implementations can overwrite built-in utility functions used to normalize paths provided to node:fs functions. This can lead to a filesystem permission model bypass through a path traversal attack. The vulnerability affects users of the experimental permission model in the specified Node.js versions.

Recommendations: For Node.js versions 20 through 21, consider disabling the experimental permission model until a patch is available. Restrict access to node:fs functions to minimize the risk of exploitation. Avoid using user-defined implementations for path normalization until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALSA-2024:1687

ALSA-2024:1688

ALT-PU-2024-3054

AZL-35046

BDU:2024-04314

BIT-NODE-2024-21891

BIT-NODE-MIN-2024-21891

CESA-2024_1687

CVE-2024-21891

OPENSUSE-SU-2024:13697-1

OPENSUSE-SU-2024:13698-1

RHSA-2024:1687

RHSA-2024:1688

RHSA-2024_1687

RHSA-2024_1688

RLSA-2024:1687

RLSA-2024:1688

SUSE-SU-2024:0643-1

Affected Products

Alt Linux

Almalinux

Centos

Node.Js

Red Hat

Rocky Linux

Suse

PT-2024-3905 · Node.Js+6 · Node.Js+6

CVE-2024-21891

Weakness Enumeration

Related Identifiers

Affected Products

References · 88