CVE-2024-21890

MEDIUM

Node.js <21 - Info Disclosure

Title source: llm

Description

The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

References (3)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2024/03/11/1

[Issue Tracking, Third Party Advisory] https://hackerone.com/reports/2257156

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20240315-0002/

Scores

CVSS v3 6.5

EPSS 0.0104

EPSS Percentile 77.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Classification

Status published

Affected Products (1)

nodejs/node.js < 20.11.1

Timeline

Published Feb 20, 2024

Tracked Since Feb 18, 2026