3 matches found
AZL-39734 CVE-2024-30260 affecting package nodejs for versions less than 20.14.0-1
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch, but did not clear them for undici.request. This vulnerability was patched in versions 5.28.4 and 6.11.1...
AZL-35046 CVE-2024-21891 affecting package nodejs for versions less than 20.14.0-1
Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experiment...
AZL-35900 CVE-2024-21890 affecting package nodejs for versions less than 20.14.0-1
The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: --allow-fs-read=/home/node/.ssh/.pub will ignore pub and give access to everything after .ssh/. This misleading documentation affects all users...