Misleading Documentation Affects Node.js Users
CVE-2024-21890

6.5MEDIUM

Key Information:

Vendor: Node.js
Status: Node.js
Vendor: CVE Published:; 20 February 2024

What is CVE-2024-21890?

The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example:

 --allow-fs-read=/home/node/.ssh/*.pub

will ignore pub and give access to everything after .ssh/.

This misleading documentation affects all users using the experimental permission model in Node.js 20 and Node.js 21.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Affected Version(s)

Node.js 21.6.0

Node.js 20.11.0

References

https://hackerone.com/reports/2257156

https://security.netapp.com/advisory/ntap-20240315-0002/

http://www.openwall.com/lists/oss-security/2024/03/11/1

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2024
Vulnerability Reserved
Jan 3, 2024