CVE-2024-37372: The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always...

3.6 CVSS

Description

The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.

Classification

CVE ID: CVE-2024-37372

CVSS Base Severity: LOW

CVSS Base Score: 3.6

Affected Products

Vendor: nodejs

Product: node

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.64% (scored less or equal to compared to others)

EPSS Date: 2025-02-07 (when was this score calculated)

References

http://www.openwall.com/lists/oss-security/2024/07/11/6
http://www.openwall.com/lists/oss-security/2024/07/19/3

Timeline

2025-01-10 00:30:45 UTC
CVE

The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always...