Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued the permission model is an experimental feature of Node.js.

🗓️ 30 Jun 2024 14:00:00Reported by MicrosoftType

Overridable path normalization in node:fs enables traversal and permission bypass.

Reporter	Title	Published	Views	Family All 88
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Node.js affect IBM Voice Gateway	1 Apr 202418:28	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities	19 Mar 202417:46	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation Fixes for May 2024.	15 Apr 202502:38	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM SDK for Node.js affect IBM Business Automation Workflow	1 Mar 202419:23	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.15 and earlier	19 Mar 202420:32	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar Use Case Manager app is vulnerable to using components with known vulnerabilities	15 Apr 202502:23	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js	15 Apr 202502:40	–	ibm
FreeBSD	NodeJS -- Vulnerabilities	14 Feb 202400:00	–	freebsd
Tenable Nessus	Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2024-544)	6 Mar 202400:00	–	nessus
Tenable Nessus	Alibaba Cloud Linux 3 : 0247: nodejs:20 (ALINUX3-SA-2024:0247)	14 May 202500:00	–	nessus