CVE-2024-36137

LOW

Node.js < 20.15.1, < 22.4.1 - Permission Model Bypass via File Descriptor Manipulation

Title source: llm

Description

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.

References (2)

Core 2

Core References

Various Sources

https://nodejs.org/en/blog/vulnerability/july-2024-security-releases

Vendor Advisory

https://security.netapp.com/advisory/ntap-20241122-0005/

Scores

CVSS v3 3.3

EPSS 0.0010

EPSS Percentile 26.6%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

Status published

Products (18)

NodeJS/Node 10.0 - 10.*

NodeJS/Node 11.0 - 11.*

NodeJS/Node 12.0 - 12.*

NodeJS/Node 13.0 - 13.*

NodeJS/Node 14.0 - 14.*

NodeJS/Node 15.0 - 15.*

NodeJS/Node 16.0 - 16.*

NodeJS/Node 17.0 - 17.*

NodeJS/Node 19.0 - 19.*

NodeJS/Node 20.0 - 20.15.1

... and 8 more

Published Sep 07, 2024

Tracked Since Feb 18, 2026