CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-21896

CVSS 9.8v3.1pub. 2024-02-20upd. 2025-04-02

The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

🤖 AI Analysis
How it works

The permission model in Node.js protects against path traversal attacks by calling the path.resolve() function on user-supplied paths and then converting the result to a Buffer object using Buffer.from(). An attacker can apply a monkey-patching technique by replacing the internal Buffer.prototype.utf8Write method, which allows modification of the result returned by path.resolve(). As a result, the path traversal protection mechanism is bypassed, and the application can be forced to read or write files outside the intended paths.

Impact

An attacker can gain unauthorized access to files and file system resources outside allowed paths, leading to violation of confidentiality, integrity, and availability of data processed by the application.

Mitigation & patch

Apply patches available from the vendor according to references. If updating is not possible, consider disabling the experimental permission model until the fix is deployed.

Who is affected

Users using the experimental permission model in Node.js 20 and Node.js 21. The vulnerability does not affect installations where the permission model is not enabled.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Node.js

    APP
    Nodejs
    20.0.0 – 20.11.1 (bez)21.0.0 – 21.6.2 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2026-48930CRITICAL9.8PL ✓ten sam produkt

Node.js TLS: błąd obsługi hostname z null-bajtem prowadzi do przekierowania authority

CVE-2026-21636CRITICAL10.0PL ✓ten sam produkt

Node.js: obejście modelu uprawnień przez Unix Domain Socket

CVE-2025-55130CRITICAL9.1PL ✓ten sam produkt

Obejście modelu uprawnień w Node.js poprzez spreparowane symlinki

CVE-2024-3566CRITICAL9.8PL ✓ten sam produkt

Command injection w aplikacjach Windows korzystających z CreateProcess

CVE-2023-39332CRITICAL9.8ten sam produkt

Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js envir...