CVE-2024-37372

LOW

Node.js Path Traversal via Permission Model Bypass

Title source: llm

Description

The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.

References (3)

Core 3

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2024/07/11/6

Mailing List

http://www.openwall.com/lists/oss-security/2024/07/19/3

Vendor Advisory

https://security.netapp.com/advisory/ntap-20250502-0010/

Scores

CVSS v3 3.6

EPSS 0.0005

EPSS Percentile 15.3%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (18)

NodeJS/Node 10.0 - 10.*

NodeJS/Node 11.0 - 11.*

NodeJS/Node 12.0 - 12.*

NodeJS/Node 13.0 - 13.*

NodeJS/Node 14.0 - 14.*

NodeJS/Node 15.0 - 15.*

NodeJS/Node 16.0 - 16.*

NodeJS/Node 17.0 - 17.*

NodeJS/Node 19.0 - 19.*

NodeJS/Node 20.0 - 20.15.1

... and 8 more

Published Jan 09, 2025

Tracked Since Feb 18, 2026