CVE-2024-21896
📋 TL;DR
This CVE describes a path traversal vulnerability in Node.js's experimental permission model where attackers can bypass path validation by monkey-patching Buffer.prototype.utf8Write. This allows unauthorized file system access. It affects all users of Node.js 20 and 21 who have enabled the experimental permission model.
💻 Affected Systems
- Node.js
📦 What is this software?
Node.js by Nodejs
Node.js by Nodejs
⚠️ Risk & Real-World Impact
Worst Case
Complete file system compromise allowing attackers to read, modify, or delete any file accessible to the Node.js process, potentially leading to data theft, system takeover, or ransomware deployment.
Likely Case
Unauthorized access to sensitive files (configuration files, credentials, user data) leading to data breaches or privilege escalation.
If Mitigated
Limited impact if permission model is not enabled or if proper file system permissions restrict Node.js process access.
🎯 Exploit Status
Exploitation requires ability to execute arbitrary JavaScript code in the Node.js process and requires the permission model to be enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Node.js 20.11.1 and 21.6.2
Vendor Advisory: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/
Restart Required: Yes
Instructions:
1. Check current Node.js version: node --version
2. Update to Node.js 20.11.1 or 21.6.2 using your package manager
3. Restart all Node.js applications
4. Verify update with: node --version
🔧 Temporary Workarounds
Disable Permission Model
allRemove --experimental-permission flag from Node.js startup commands
Remove '--experimental-permission' from all Node.js startup scripts and configurations
🧯 If You Can't Patch
- Disable the experimental permission model by removing --experimental-permission flag from all Node.js applications
- Implement strict file system permissions to limit what files the Node.js process can access
🔍 How to Verify
Check if Vulnerable:
Check if Node.js version is 20.x or 21.x AND permission model is enabled: node --version and check for --experimental-permission flag in process startupCheck Version:
node --versionVerify Fix Applied:
Verify Node.js version is 20.11.1 or higher for v20, or 21.6.2 or higher for v21: node --version📡 Detection & Monitoring
Log Indicators:
- Unexpected file access patterns
- Permission model errors with path resolution
- Buffer prototype modification attempts
Network Indicators:
- Unusual outbound file transfers from Node.js processes
SIEM Query:
Process execution with 'node' containing '--experimental-permission' flag AND version < 20.11.1 OR < 21.6.2🔗 References
- http://www.openwall.com/lists/oss-security/2024/03/11/1
- https://hackerone.com/reports/2218653
- https://security.netapp.com/advisory/ntap-20240329-0002/
- http://www.openwall.com/lists/oss-security/2024/03/11/1
- https://hackerone.com/reports/2218653
- https://security.netapp.com/advisory/ntap-20240329-0002/
