CVE-2024-37372

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Node.js (affected versions not specified)

Description: The issue is related to the Permission Model in Node.js, which incorrectly assumes that any path starting with two backslashes has a four-character prefix that can be ignored. This subtle bug leads to vulnerable edge cases. The vulnerability is associated with errors in processing input data and can be exploited by a remote attacker to impact data integrity.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-264CWE-22

Related Identifiers

BDU:2024-05684

BDU:2024-05685

BIT-NODE-2024-37372

BIT-NODE-MIN-2024-37372

CLEANSTART-2026-BD71263

CLEANSTART-2026-IS74202

CLEANSTART-2026-JR35772

CLEANSTART-2026-JY06700

CLEANSTART-2026-KN34553

CLEANSTART-2026-KZ45320

CLEANSTART-2026-LJ44720

CLEANSTART-2026-LN12820

CLEANSTART-2026-TX00223

CLEANSTART-2026-WI75198

CVE-2024-37372

MGASA-2024-0282

OPENSUSE-SU-2024:14214-1

OPENSUSE-SU-2024:14435-1

OPENSUSE-SU-2025:15802-1

SUSE-SU-2024:2543-1

SUSE-SU-2024:2574-1

Affected Products

Node.Js

Suse

CVE-2024-37372

Weakness Enumeration

Related Identifiers

Affected Products

References · 207