VYPR
← All advisories
Low severity2.9NVD Advisory· Published Jul 10, 2024· Updated Apr 15, 2026

CVE-2024-22018

CVE-2024-22018

Description

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In Node.js, the experimental permission model fails to restrict file stats via fs.lstat, allowing unauthorized access to file metadata.

Vulnerability

Description

CVE-2024-22019 is a vulnerability in Node.js that affects users of the experimental permission model when the --allow-fs-read flag is used. The flaw arises from an inadequate permission model that fails to properly restrict the fs.lstat API. As a result, users with the permission model enabled can retrieve file stats (metadata such as file size, permissions, and timestamps) for files they do not have explicit read access to, contrary to the intended restrictions [1].

Exploitation

To exploit this vulnerability, an attacker must have the ability to execute code within a Node.js environment that has the experimental permission model enabled and the --allow-fs-read flag set. No additional authentication is required beyond the ability to run Node.js scripts. The attack is local or remote depending on how Node.js is deployed, but the attacker must be able to call fs.lstat() on a target file without having explicit read permission for that file. The vulnerability does not require any special network position beyond having access to the Node.js process [2].

Impact

The impact is limited to information disclosure. An attacker can obtain file metadata, which may reveal sensitive information such as file existence, size, modification times, and permissions. This could help an attacker map out files on the system or identify configuration files. However, the attacker cannot read the contents of the files, only their metadata. The CVSS score of 2.9 reflects the low severity, as the leaked information is limited and requires the experimental feature to be enabled [1][2].

Mitigation

Node.js has released updates that fix this vulnerability in versions 20.15.0 and 21.7.3. Users are advised to upgrade to these or later versions. As the permission model remains experimental, users should be aware that similar issues may arise and should apply security updates promptly. At the time of publication, no workaround other than disabling the permission model is available [2].

References
  1. security - Re: Fwd: Node.js security updates for all active release lines, July 2024
  2. security - Re: Fwd: Node.js security updates for all active release lines, July 2024

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

23

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.