CVE-2024-21896

The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/03/11/1	Mailing List Third Party Advisory
https://hackerone.com/reports/2218653	Issue Tracking
https://security.netapp.com/advisory/ntap-20240329-0002/	Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/03/11/1	Mailing List Third Party Advisory
https://hackerone.com/reports/2218653	Issue Tracking
https://security.netapp.com/advisory/ntap-20240329-0002/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*

History

02 Apr 2025, 20:09

Type	Values Removed	Values Added
First Time		Nodejs Nodejs node.js
CVSS	v2 : ~~unknown~~ v3 : ~~7.9~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:nodejs:node.js:::::-:::*
References	~~() http://www.openwall.com/lists/oss-security/2024/03/11/1 -~~	() http://www.openwall.com/lists/oss-security/2024/03/11/1 - Mailing List, Third Party Advisory
References	~~() https://hackerone.com/reports/2218653 -~~	() https://hackerone.com/reports/2218653 - Issue Tracking
References	~~() https://security.netapp.com/advisory/ntap-20240329-0002/ -~~	() https://security.netapp.com/advisory/ntap-20240329-0002/ - Third Party Advisory

21 Nov 2024, 08:55

Type	Values Removed	Values Added
References	~~() http://www.openwall.com/lists/oss-security/2024/03/11/1 -~~	() http://www.openwall.com/lists/oss-security/2024/03/11/1 -
References	~~() https://hackerone.com/reports/2218653 -~~	() https://hackerone.com/reports/2218653 -
References	~~() https://security.netapp.com/advisory/ntap-20240329-0002/ -~~	() https://security.netapp.com/advisory/ntap-20240329-0002/ -

27 Aug 2024, 16:35

Type	Values Removed	Values Added
CWE		CWE-27

01 May 2024, 18:15

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2024/03/11/1 -

29 Mar 2024, 13:15

Type	Values Removed	Values Added
References		() https://security.netapp.com/advisory/ntap-20240329-0002/ -

20 Feb 2024, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-20 02:15

Updated : 2025-04-02 20:09

NVD link : CVE-2024-21896

Mitre link : CVE-2024-21896

CVE.ORG link : CVE-2024-21896

JSON object : View

Products Affected

nodejs

node.js

CWE

CWE-27

Path Traversal: 'dir/../../filename'

9.8 /10