CVE-2024-36137

Vulnerability

Overview A flaw in Node.js's experimental permission model allows bypassing write restrictions via file descriptor operations. The permission model checks file path operations but does not intercept system calls that operate on file descriptors, such as fs.fchmod and fs.fchown [1]. Consequently, a process granted read-only file access can still alter the file's permissions or ownership using the same file descriptor.

Exploitation

Scenario An attacker who can execute code within a Node.js process restricted by the --allow-fs-write flag can open a file with read-only permissions (e.g., using fs.open). Since the permission model allows read access, the file descriptor obtained can then be used to call fs.fchmod or fs.fchown, which change the file's mode or owner without triggering a permission check [1]. No additional authentication or network position is required if code execution is already achieved.

Impact

Successful exploitation lets an attacker modify file permissions (e.g., making a file writable) or change file ownership, effectively bypassing intended write restrictions. This could lead to privilege escalation or unauthorized data modification, though the vulnerability is rated Low severity due to the experimental nature of the permission model and the prerequisite of code execution.

Mitigation

Node.js has released security updates for versions 22.5.0, 20.15.0, and 18.20.4 to fix this issue [1]. Users relying on the experimental permission model should upgrade immediately. As a workaround, avoid using the permission model with file descriptor operations until updated.