UBUNTU-CVE-2024-21891

Advisory lineage Upstream: 1 Downstream: 0
Upstream
CVE-2024-21891
Published: 20 Feb 2024, 02:15
Last modified:16 Jul 2025, 07:46

Vulnerability Summary

Overall Risk (default)
medium
35/100
CVSS Score
8.8 HIGH
3.1 (osv_ubuntu)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

20 Feb 2024, 02:15
Published
Vulnerability first disclosed
16 Jul 2025, 07:46
Last Modified
Vulnerability information updated

Description

Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

CVSS Metrics

  • v3.1HIGHScore: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • v3.0HIGHScore: 7.9CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Affected Systems

  • ubuntunodejs

    < 20.18.1+dfsg-1ubuntu2

References (4)