CVE-2024-22018

LOW

Node.js 20.x-21.x - Unauthorized File Stats Access via fs.lstat API

Title source: llm

Description

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

References (4)

Core 4

Core References

Third Party Advisory

https://hackerone.com/reports/2145862

Vendor Advisory

https://security.netapp.com/advisory/ntap-20240816-0007/

Mailing List

http://www.openwall.com/lists/oss-security/2024/07/11/6

Mailing List

http://www.openwall.com/lists/oss-security/2024/07/19/3

Scores

CVSS v3 2.9

EPSS 0.0021

EPSS Percentile 43.5%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

Status published

Products (18)

NodeJS/Node 10.0 - 10.*

NodeJS/Node 11.0 - 11.*

NodeJS/Node 12.0 - 12.*

NodeJS/Node 13.0 - 13.*

NodeJS/Node 14.0 - 14.*

NodeJS/Node 15.0 - 15.*

NodeJS/Node 16.0 - 16.*

NodeJS/Node 17.0 - 17.*

NodeJS/Node 19.0 - 19.*

NodeJS/Node 20.0 - 20.15.1

... and 8 more

Published Jul 10, 2024

Tracked Since Feb 18, 2026