CVE-2024-22018

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Node.js versions 20 through 21

Description: A flaw in the experimental permission model of Node.js allows malicious actors to retrieve stats from files they do not have explicit read access to when the --allow-fs-read flag is used. This issue arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API.

Recommendations: For Node.js versions 20 and 21, consider disabling the experimental permission model until a patch is available. Restrict access to the fs.lstat API to minimize the risk of exploitation. Avoid using the --allow-fs-read flag in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Incorrect Privilege Assignment

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-275CWE-266

Related Identifiers

ALSA-2024:5814

ALSA-2024:5815

AZL-43213

BDU:2024-05671

BIT-NODE-2024-22018

BIT-NODE-MIN-2024-22018

CESA-2024_5814

CLEANSTART-2026-BD71263

CLEANSTART-2026-IS74202

CLEANSTART-2026-JR35772

CLEANSTART-2026-JY06700

CLEANSTART-2026-KN34553

CLEANSTART-2026-KZ45320

CLEANSTART-2026-LJ44720

CLEANSTART-2026-LN12820

CLEANSTART-2026-TX00223

CLEANSTART-2026-WI75198

CVE-2024-22018

INFSA-2024_5814

INFSA-2024_5815

MGASA-2024-0282

OESA-2025-1199

OESA-2025-1200

OPENSUSE-SU-2024:14214-1

OPENSUSE-SU-2024:14435-1

OPENSUSE-SU-2025:15802-1

RHSA-2024:5814

RHSA-2024:5815

RHSA-2024_5814

RHSA-2024_5815

RLSA-2024:5814

RLSA-2024:5815

SUSE-SU-2024:2543-1

SUSE-SU-2024:2574-1

SUSE-SU-2024_2543-1

SUSE-SU-2024_2574-1

Affected Products

Almalinux

Centos

Node.Js

Red Hat

Rocky Linux

Suse

CVE-2024-22018

Weakness Enumeration

Related Identifiers

Affected Products

References · 243