CVE-2024-36137
LOW3.3EPSS 0.10%Published: 9/7/2024Modified: 4/28/2026
Description
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.
Affected packages (4)
- Alpine/nodejsfrom 0, < 20.15.1-r0
- Bitnami/node>= 20.0.0, < 20.15.1, >= 21.0.0, < 22.4.1
- Bitnami/node-min>= 20.0.0, < 20.18.1, >= 21.0.0, < 22.12.0
- Debian/nodejsfrom 0, < 20.15.1+dfsg-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.3 | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
References (5)
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2024-36137
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-36137
- WEBhttps://nodejs.org/en/blog/vulnerability/july-2024-security-releases
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2024-36137
- WEBhttps://security.netapp.com/advisory/ntap-20241122-0005/