Description

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.

Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.

Classification

CVE ID: CVE-2024-36137

CVSS Base Severity: LOW

CVSS Base Score: 3.3

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Affected Products

Vendor: NodeJS

Product: Node

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 3.51% (scored less or equal to compared to others)

EPSS Date: 2025-05-29 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-36137
https://nodejs.org/en/blog/vulnerability/july-2024-security-releases

Timeline