Description
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.
Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.
CVSS vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.8 | Impact: 1.4Attack Vector: Local
Complexity: Low
Privileges: Low
User Interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None
Affected Packages3 packages
▶Debiannodejs< 20.15.1+dfsg-1+1 🔴Vulnerability Details
4GHSAGHSA-q793-mj5v-wh68: A vulnerability has been identified in Node↗2024-09-07 CVEListCVE-2024-36137: A vulnerability has been identified in Node↗2024-09-07 OSVCVE-2024-36137: A vulnerability has been identified in Node↗2024-09-07 OSVCVE-2024-36137: A vulnerability has been identified in Node↗2024-09-07 📋Vendor Advisories
3Red Hatnodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.↗2026-03-30 Red Hatnodejs: fs.fchown/fchmod bypasses permission model↗2024-07-08 DebianCVE-2024-36137: nodejs - A vulnerability has been identified in Node.js, affecting users of the experimen...↗2024 💬Community
2BugzillaCVE-2026-21716 nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.↗2026-03-30 HackerOnefs.fchown/fchmod bypasses permission model↗2024-10-16