3 matches found
CVE-2024-21891
Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experiment...
SUSE CVE-2024-21890
The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: --allow-fs-read=/home/node/.ssh/.pub will ignore pub and give access to everything after .ssh/. This misleading documentation affects all users...
PT-2023-8990 · Node.Js +5 · Node.Js +5
Name of the Vulnerable Software and Affected Versions: Node.js versions 20 through 21 Description: The issue is related to the permission model in Node.js, which is an experimental feature. It protects itself against path traversal attacks by calling path.resolve on any paths given by the user. I...