Analysis Summary

CVE-2024-37372 CVSS:3.7

Node.js could allow a remote attacker to bypass security restrictions, caused by the improper processing of UNC paths by the Permission Model. An attacker could exploit this vulnerability to lead to vulnerable edge cases.

CVE-2024-22018 CVSS:3.7

Node.js could allow a remote attacker to obtain sensitive information, caused by an inadequate permission model that fails to restrict file stats through the fs.lstat API. An attacker could exploit this vulnerability to retrieve stats from files that they do not have explicit read access to.

CVE-2024-36137 CVSS:3.7

Node.js could allow a remote attacker to bypass security restrictions, caused by an error when the --allow-fs-write flag is used. An attacker could exploit this vulnerability using a "read-only" file descriptor to change the owner and permissions of a file.

CVE-2024-22020 CVSS:7.3

Node.js could allow a remote attacker to execute arbitrary code on the system. By embedding non-network imports in data URLs, an attacker could exploit this vulnerability to bypass network import restrictions and execute arbitrary code on the system.

CVE-2024-36138 CVSS:7.3

Node.js could allow a remote attacker to execute arbitrary commands on the system, caused by the incomplete fix of CVE-2024-27980 which was the improper handling of batch files in child_process.spawn / child_process.spawnSync. By sending a specially crafted command line argument, an attacker could exploit this vulnerability to inject and execute arbitrary commands on the system.

Impact

• Gain Access
• Security Bypass
• Code Execution

Indicators of Compromise

CVE

• CVE-2024-37372
• CVE-2024-22018
• CVE-2024-36137
• CVE-2024-22020
• CVE-2024-36138

Affected Vendors

Remediation

Refer to Node.js Security Advisory for patch, upgrade or suggested workaround information.

Node.js Security Advisory