A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

...

The vulnerability of the fs.statfs function in the Node.js software platform allows a malicious actor to gain unauthorized access to protected information.

The vulnerability of the fs.statfs function in the Node.js software platform is related to the improper assignment of permissions for the critical resource. Exploiting this vulnerability can allow an attacker, operating remotely, to gain unauthorized access to protected information using the...

AZL-43213 CVE-2024-22018 affecting package nodejs 20.14.0-13

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve...

The vulnerability of the fs.openAsBlob() method in the Node.js software platform allows attackers to compromise the integrity of protected information.

The vulnerability of the fs.openAsBlob method in the Node.js programming platform is related to errors in using the --allow-fs-read flag for file system access. Exploiting this vulnerability allows a malicious actor to compromise the integrity of protected information...

The vulnerability of the fs.watchFile method in the Node.js software platform allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of the fs.watchFile method in the Node.js software platform is related to errors in using the --allow-fs-read flag with an argument other than =. Exploiting this vulnerability can allow a malicious actor, operating remotely, to gain unauthorized access to protected information...

PT-2023-4525 · Node.Js · Node.Js

Name of the Vulnerable Software and Affected Versions: Node.js version 20 Description: The issue is related to the fs.openAsBlob method in Node.js, which can bypass the experimental permission model when using the file system read restriction with the --allow-fs-read flag. This flaw arises from a...