CVE-2024-36137
3.3
LOW
CVSS 3.1
EPSS 0.10%
Description
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.
How to fix CVE-2024-36137
To remediate CVE-2024-36137, upgrade the affected package to a fixed version below.
- —upgrade to 20.15.1-r0 or later
- —upgrade to 20.15.1 or later
- —upgrade to 20.18.1 or later
- —upgrade to 20.15.1+dfsg-1 or later
Is CVE-2024-36137 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 20.15.1-r0
- >= 20.0.0, < 20.15.1, >= 21.0.0, < 22.4.1
- >= 20.0.0, < 20.18.1, >= 21.0.0, < 22.12.0
- from 0, < 20.15.1+dfsg-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.3 | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |