The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
The permission model in Node.js protects against path traversal attacks by calling the path.resolve() function on user-supplied paths and then converting the result to a Buffer object using Buffer.from(). An attacker can apply a monkey-patching technique by replacing the internal Buffer.prototype.utf8Write method, which allows modification of the result returned by path.resolve(). As a result, the path traversal protection mechanism is bypassed, and the application can be forced to read or write files outside the intended paths.
An attacker can gain unauthorized access to files and file system resources outside allowed paths, leading to violation of confidentiality, integrity, and availability of data processed by the application.
Apply patches available from the vendor according to references. If updating is not possible, consider disabling the experimental permission model until the fix is deployed.
Users using the experimental permission model in Node.js 20 and Node.js 21. The vulnerability does not affect installations where the permission model is not enabled.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNode.js
APPNodejs20.0.0 – 20.11.1 (bez)21.0.0 – 21.6.2 (bez)
Related vulnerabilities
Node.js TLS: błąd obsługi hostname z null-bajtem prowadzi do przekierowania authority
Node.js: obejście modelu uprawnień przez Unix Domain Socket
Obejście modelu uprawnień w Node.js poprzez spreparowane symlinki
Command injection w aplikacjach Windows korzystających z CreateProcess
Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js envir...