CVE-2024-21891
📋 TL;DR
This vulnerability allows attackers to bypass Node.js's experimental permission model by overwriting built-in path normalization functions, enabling path traversal attacks that can access restricted files. It affects all users running Node.js 20 or 21 with the experimental permission model enabled. Since the permission model is experimental, this primarily impacts developers testing this feature.
💻 Affected Systems
- Node.js
📦 What is this software?
Node.js by Nodejs
Node.js by Nodejs
⚠️ Risk & Real-World Impact
Worst Case
Complete filesystem access bypass allowing reading, writing, or deleting any file accessible to the Node.js process, potentially leading to data theft, system compromise, or service disruption.
Likely Case
Limited file access bypass within the application's context, potentially exposing sensitive configuration files, logs, or application data.
If Mitigated
No impact if the experimental permission model is disabled, as the vulnerability only exists when this feature is actively being used.
🎯 Exploit Status
Exploitation requires the ability to execute arbitrary JavaScript code within the Node.js process. The HackerOne report demonstrates working proof-of-concept.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Node.js 20.11.1 and 21.6.2
Vendor Advisory: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/
Restart Required: Yes
Instructions:
1. Check current Node.js version: node --version
2. Update to patched version:
- For Node.js 20: Update to 20.11.1 or later
- For Node.js 21: Update to 21.6.2 or later
3. Restart all Node.js applications and services
🔧 Temporary Workarounds
Disable Experimental Permission Model
allRemove --experimental-permission flag from Node.js startup commands
Remove '--experimental-permission' from all Node.js startup scripts and configurations
🧯 If You Can't Patch
- Disable the experimental permission model immediately by removing --experimental-permission flag
- Implement strict input validation and sanitization for all file path inputs in your application
🔍 How to Verify
Check if Vulnerable:
Check if Node.js version is 20.x or 21.x AND the --experimental-permission flag is being usedCheck Version:
node --versionVerify Fix Applied:
Verify Node.js version is 20.11.1+ or 21.6.2+ and restart applications📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns, permission model bypass attempts, path traversal patterns in file operations
Network Indicators:
- N/A - This is a local filesystem vulnerability
SIEM Query:
Search for Node.js processes running with --experimental-permission flag on versions 20.x or 21.x before patched versions🔗 References
- http://www.openwall.com/lists/oss-security/2024/03/11/1
- https://hackerone.com/reports/2259914
- https://security.netapp.com/advisory/ntap-20240315-0005/
- http://www.openwall.com/lists/oss-security/2024/03/11/1
- https://hackerone.com/reports/2259914
- https://security.netapp.com/advisory/ntap-20240315-0005/
