The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued the permission model is an experimental feature of Node.js.

🗓️ 30 Jun 2024 14:00:00Reported by MicrosoftType

Docs mislead on wildcards in Node.js experimental permission model; /home/node/.ssh/*.pub grants broad access.

Reporter	Title	Published	Views	Family All 93
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Node.js affect IBM Voice Gateway	1 Apr 202418:28	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities	19 Mar 202417:46	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM SDK for Node.js affect IBM Business Automation Workflow	1 Mar 202419:23	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.15 and earlier	19 Mar 202420:32	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar Use Case Manager app is vulnerable to using components with known vulnerabilities	15 Apr 202502:23	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js	15 Apr 202502:40	–	ibm
FreeBSD	NodeJS -- Vulnerabilities	14 Feb 202400:00	–	freebsd
Tenable Nessus	Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2024-544)	6 Mar 202400:00	–	nessus
Tenable Nessus	Alibaba Cloud Linux 3 : 0247: nodejs:20 (ALINUX3-SA-2024:0247)	14 May 202500:00	–	nessus
Tenable Nessus	AlmaLinux 8 : nodejs:20 (ALSA-2024:1687)	10 Apr 202400:00	–	nessus