CVE-2024-21891

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-21891

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21891.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-21891

Aliases

Related

Published

2024-02-20T02:15:50Z

Modified

2025-02-14T11:53:49.871324Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

References

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type: GIT
Repo: https://github.com/nodejs/node
Events: Introduced

e7618fb5a5fc25d76b6474e2a6607f04fd6f10e0

Fixed

9b1bf44ea9e7785e38c93b7d22d32dbca262df6c

Affected versions

v20.*

v20.0.0

v20.1.0

v20.10.0

v20.11.0

v20.2.0

v20.3.0

v20.3.1

v20.4.0

v20.5.0

v20.5.1

v20.6.0

v20.6.1

v20.7.0

v20.8.0

v20.8.1

v20.9.0