CVE-2024-37372

CWE-22Path TraversalCWE-7546 documents6 sources
Severity
3.6LOW
EPSS
0.0%
top 85.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nodejs Node
Timeline
PublishedJan 9

Description

The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 1.0 | Impact: 2.5

Affected Packages2 packages

CVEListV5nodejs/node4.04.*+17
Alpinenodejs< 0+4

🔴Vulnerability Details

3
CVEList
CVE-2024-37372: The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true2025-01-09
OSV
CVE-2024-37372: The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true2025-01-09
GHSA
GHSA-7975-2qr9-g542: The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true2025-01-09

📋Vendor Advisories

2
Red Hat
nodejs: Permission model improperly processes UNC paths2025-01-09
Debian
CVE-2024-37372: nodejs - The Permission Model assumes that any path starting with two backslashes \ has a...2024
CVE-2024-37372 (LOW CVSS 3.6) | The Permission Model assumes that a | cvebase.io