Recent Vulnerabilities Research Posts Trends Blog About Contact

Published: 20/02/2024 Updated: 01/05/2024

The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

oss-sec mailing list archives   By Date By Thread </form>    NodeJS v{18x,20x,21x} February Security Updates   From: suarezmiguelc ...

https://hackerone.com/reports/2218653 https://security.netapp.com/advisory/ntap-20240329-0002/http://www.openwall.com/lists/oss-security/2024/03/11/1 https://nvd.nist.gov https://seclists.org/oss-sec/2024/q1/205

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2024-21896

Vulnerability Summary

Vulnerability Trend

Mailing Lists

References

Vulmon Search

About

Products

Connect