Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. Impacts: This vulnerability affects all users using the experimental permission model in active release lines: 20.x and 21.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Created nodejs20 tracking bugs for this issue: Affects: fedora-all [bug 2265721]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:1688 https://access.redhat.com/errata/RHSA-2024:1688
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1687 https://access.redhat.com/errata/RHSA-2024:1687