CVE-2024-21891

Source
https://cve.org/CVERecord?id=CVE-2024-21891
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21891.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-21891
Aliases
Downstream
Related
Published
2024-02-20T01:31:08.152Z
Modified
2026-07-01T11:53:41.211219019Z
Severity
  • 7.9 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/21xxx/CVE-2024-21891.json",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "4.0"
                },
                {
                    "fixed": "4.*"
                },
                {
                    "introduced": "5.0"
                },
                {
                    "fixed": "5.*"
                },
                {
                    "introduced": "6.0"
                },
                {
                    "fixed": "6.*"
                },
                {
                    "introduced": "7.0"
                },
                {
                    "fixed": "7.*"
                },
                {
                    "introduced": "8.0"
                },
                {
                    "fixed": "8.*"
                },
                {
                    "introduced": "9.0"
                },
                {
                    "fixed": "9.*"
                },
                {
                    "introduced": "10.0"
                },
                {
                    "fixed": "10.*"
                },
                {
                    "introduced": "11.0"
                },
                {
                    "fixed": "11.*"
                },
                {
                    "introduced": "12.0"
                },
                {
                    "fixed": "12.*"
                },
                {
                    "introduced": "13.0"
                },
                {
                    "fixed": "13.*"
                },
                {
                    "introduced": "14.0"
                },
                {
                    "fixed": "14.*"
                },
                {
                    "introduced": "15.0"
                },
                {
                    "fixed": "15.*"
                },
                {
                    "introduced": "16.0"
                },
                {
                    "fixed": "16.*"
                },
                {
                    "introduced": "17.0"
                },
                {
                    "fixed": "17.*"
                },
                {
                    "introduced": "19.0"
                },
                {
                    "fixed": "19.*"
                },
                {
                    "introduced": "20.0"
                },
                {
                    "fixed": "20.11.1"
                },
                {
                    "introduced": "21.0"
                },
                {
                    "fixed": "21.6.2"
                }
            ]
        }
    ],
    "cna_assigner": "hackerone"
}
References

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type
GIT
Repo
https://github.com/nodejs/node
Events
Database specific
{
    "cpe": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "20.0.0"
        },
        {
            "fixed": "20.11.1"
        },
        {
            "introduced": "21.0.0"
        },
        {
            "fixed": "21.6.2"
        }
    ]
}

Affected versions

v20.*
v20.0.0
v20.1.0
v20.10.0
v20.11.0
v20.2.0
v20.3.0
v20.3.1
v20.4.0
v20.5.0
v20.5.1
v20.6.0
v20.6.1
v20.7.0
v20.8.0
v20.8.1
v20.9.0
v21.*
v21.0.0
v21.1.0
v21.2.0
v21.3.0
v21.4.0
v21.5.0
v21.6.0
v21.6.1

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21891.json"