CVSS: 5.9EPSS: 0%CPEs: 18EXPL: 0CVE-2024-36137 – nodejs: fs.fchown/fchmod bypasses permission model
https://notcve.org/view.php?id=CVE-2024-36137
07 Sep 2024 — A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. A flaw was found in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. The Node.js Permission Model does not operate on fil... • https://nodejs.org/en/blog/vulnerability/july-2024-security-releases • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.1EPSS: 0%CPEs: 19EXPL: 0CVE-2024-36138 – openSUSE Security Advisory - openSUSE-SU-2024:14435-1
https://notcve.org/view.php?id=CVE-2024-36138
17 Jul 2024 — Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. These are all security issues fixed in the corepack22-22.10.0-1.1 package on the GA media of openSUSE Tumbleweed. • https://nodejs.org/en/blog/vulnerability/july-2024-security-releases • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.5EPSS: 0%CPEs: 18EXPL: 0CVE-2024-27980 – SUSE Security Advisory - SUSE-SU-2024:2542-1
https://notcve.org/view.php?id=CVE-2024-27980
17 Jul 2024 — Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. This update for nodejs18 fixes the following issues. • http://www.openwall.com/lists/oss-security/2024/04/10/15 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 2.9EPSS: 0%CPEs: 18EXPL: 0CVE-2024-22018 – nodejs: fs.lstat bypasses permission model
https://notcve.org/view.php?id=CVE-2024-22018
10 Jul 2024 — A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was iss... • http://www.openwall.com/lists/oss-security/2024/07/11/6 •
CVSS: 7.6EPSS: 0%CPEs: 19EXPL: 0CVE-2024-22020 – nodejs: Bypass network import restriction via data URL
https://notcve.org/view.php?id=CVE-2024-22020
09 Jul 2024 — A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers. Un fallo de seguridad en Node.js permite eludir las restricciones de importación de la red. Al incorporar importaci... • http://www.openwall.com/lists/oss-security/2024/07/11/6 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-284: Improper Access Control •
CVSS: 2.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38372 – Undici vulnerable to data leak when using response.arrayBuffer()
https://notcve.org/view.php?id=CVE-2024-38372
08 Jul 2024 — Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process. This has been patched in v6.19.2. Undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Dependiendo de las condiciones de la red y del proceso de una solicitud `fetch()`, `response.arrayBuffer()` podría incluir parte de la memoria del proceso Node.js. • https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36 • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 5.3EPSS: 0%CPEs: 15EXPL: 0CVE-2023-30582 – Gentoo Linux Security Advisory 202405-29
https://notcve.org/view.php?id=CVE-2023-30582
09 May 2024 — A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have explicit read access to. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Multiple vulne... • https://nodejs.org/en/blog/vulnerability/june-2023-security-releases • CWE-284: Improper Access Control •
CVSS: 7.7EPSS: 0%CPEs: 15EXPL: 0CVE-2023-30584 – Gentoo Linux Security Advisory 202405-29
https://notcve.org/view.php?id=CVE-2023-30584
09 May 2024 — A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Multiple vulnerabilities have been discovered in Node.js. Versions greater than or equal to 16.20.2 are affected. • https://nodejs.org/en/blog/vulnerability/june-2023-security-releases • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 15EXPL: 0CVE-2023-30587 – Gentoo Linux Security Advisory 202405-29
https://notcve.org/view.php?id=CVE-2023-30587
09 May 2024 — A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector). By exploiting the Worker class's ability to create an "internal worker" with the kIsInternal Symbol, attackers can modify the isInternal value when an inspector is attached within the Worker constructor before initializing a new WorkerImpl. This vulnerability exclusively affects Node.js users employing the permission model mechanism. Please n... • https://nodejs.org/en/blog/vulnerability/june-2023-security-releases • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 15EXPL: 0CVE-2023-30583 – Gentoo Linux Security Advisory 202405-29
https://notcve.org/view.php?id=CVE-2023-30583
09 May 2024 — fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Multiple vulnerabilities have been discovered in Node.js. Versions greater than or equal to 16.20.2 are affected. • https://nodejs.org/en/blog/vulnerability/june-2023-security-releases • CWE-284: Improper Access Control •