CVE-2024-21890

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-21890

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21890.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-21890

Aliases

Related

Published

2024-02-20T02:15:50Z

Modified

2025-02-14T11:54:06.005648Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example:

 --allow-fs-read=/home/node/.ssh/*.pub

will ignore pub and give access to everything after .ssh/.

This misleading documentation affects all users using the experimental permission model in Node.js 20 and Node.js 21.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

References

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/node
Events: Introduced

e7618fb5a5fc25d76b6474e2a6607f04fd6f10e0

Fixed

9b1bf44ea9e7785e38c93b7d22d32dbca262df6c

Affected versions

v20.*

v20.0.0

v20.1.0

v20.10.0

v20.11.0

v20.2.0

v20.3.0

v20.3.1

v20.4.0

v20.5.0

v20.5.1

v20.6.0

v20.6.1

v20.7.0

v20.8.0

v20.8.1

v20.9.0