CVE-2024-21891

Advisory lineage Upstream: 0 Downstream: 6
Modified
Published: 20 Feb 2024, 01:31
Last modified:30 Apr 2025, 22:25

Vulnerability Summary

Overall Risk (default)
medium
35/100
CVSS Score
8.8 HIGH
v3.1 (nvd)
EPSS Score
0.24% LOW
0% probability +0.07%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

20 Feb 2024, 01:31
Published
Vulnerability first disclosed
30 Apr 2025, 22:25
Last Modified
Vulnerability information updated

Description

Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

CVSS Metrics

  • v3.1HIGHScore: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • v3.0HIGHScore: 7.9CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Trends

Current EPSS score: 0.24% Percentile: 47%

Techniques & Countermeasures

  • CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

    The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Affected Systems

  • nodejsnode

    ≥ 4.0, < 4.* | ≥ 5.0, < 5.* | ≥ 6.0, < 6.* | ≥ 7.0, < 7.* | ≥ 8.0, < 8.* | ≥ 9.0, < 9.* | ≥ 10.0, < 10.* | ≥ 11.0, < 11.* | ≥ 12.0, < 12.* | ≥ 13.0, < 13.* | ≥ 14.0, < 14.* | ≥ 15.0, < 15.* | ≥ 16.0, < 16.* | ≥ 17.0, < 17.* | ≥ 19.0, < 19.* | ≥ 20.0, < 20.11.1 | ≥ 21.0, < 21.6.2

  • nodejsnode.js

    ≥ 20.0.0, < 20.11.1 | ≥ 21.0.0, < 21.6.2

References (3)