CVE-2024-21896
nodejs: path traversal by monkey-patching buffer internals
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability.
This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
El modelo de permiso se protege contra ataques de path traversal llamando a path.resolve() en cualquier ruta proporcionada por el usuario. Si la ruta se va a tratar como un búfer, la implementación usa Buffer.from() para obtener un búfer a partir del resultado de path.resolve(). Al parchear los componentes internos del Buffer, es decir, Buffer.prototype.utf8Write, la aplicación puede modificar el resultado de path.resolve(), lo que conduce a una vulnerabilidad de path traversal. Esta vulnerabilidad afecta a todos los usuarios que utilizan el modelo de permiso experimental en Node.js 20 y Node.js 21. Tenga en cuenta que en el momento en que se emitió este CVE, el modelo de permiso es una característica experimental de Node.js.
A flaw was found in Node.js. The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a buffer, the implementation uses Buffer.from() to obtain a buffer from the result of path.resolve(). By monkey-patching buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability.
The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-01-03 CVE Reserved
- 2024-02-20 CVE Published
- 2025-02-13 CVE Updated
- 2025-04-03 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-27: Path Traversal: 'dir/../../filename'
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2024/03/11/1 |
|
|
| https://hackerone.com/reports/2218653 | ||
| https://security.netapp.com/advisory/ntap-20240329-0002 |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-21896 | 2024-04-08 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2265717 | 2024-04-08 |