CVE-2024-36137

CVSS v3.1

3.3

Low

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions: Node.js (affected versions not specified)

Description: A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. The Node.js Permission Model does not operate on file descriptors; however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. This issue is related to shortcomings in access control.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264

Related Identifiers

ALSA-2024:5814

ALSA-2024:5815

AZL-48849

BDU:2024-05685

BIT-NODE-2024-36137

BIT-NODE-MIN-2024-36137

CESA-2024_5814

CVE-2024-36137

INFSA-2024_5814

INFSA-2024_5815

MGASA-2024-0282

OESA-2025-1519

OESA-2025-1520

OPENSUSE-SU-2024:14214-1

OPENSUSE-SU-2024:14435-1

OPENSUSE-SU-2025:15802-1

RHSA-2024:5814

RHSA-2024:5815

RHSA-2024_5814

RHSA-2024_5815

RLSA-2024:5814

RLSA-2024:5815

SUSE-SU-2024:2543-1

SUSE-SU-2024:2574-1

Affected Products

Almalinux

Centos

Node.Js

Red Hat

Rocky Linux

Suse

CVE-2024-36137

Weakness Enumeration

Related Identifiers

Affected Products

References · 100