CVE-2024-21891

CWE-22Path Traversal7 documents7 sources
Severity
8.8HIGH
EPSS
0.2%
top 53.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nodejs NodeNodejs Node.js
Timeline
PublishedFeb 20

Description

Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5nodejs/node4.04.*+16
NVDnodejs/node.js20.0.020.11.1+1
Ubuntunodejs< 20.18.1+dfsg-1ubuntu2

🔴Vulnerability Details

3
OSV
CVE-2024-21891: Node2024-02-20
CVEList
CVE-2024-21891: Node2024-02-20
GHSA
GHSA-4rwx-mrf5-wx33: Node2024-02-20

📋Vendor Advisories

3
Red Hat
nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization2024-02-19
Microsoft
Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions which can be overwitten with user-defined implementations leading to filesystem permission model2024-02-13
Debian
CVE-2024-21891: nodejs - Node.js depends on multiple built-in utility functions to normalize paths provid...2024
CVE-2024-21891 (HIGH CVSS 8.8) | Node.js depends on multiple built-i | cvebase.io