Low severity3.3NVD Advisory· Published Sep 7, 2024· Updated Apr 15, 2026
CVE-2024-36137
CVE-2024-36137
Description
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.
Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
22- osv-coords20 versionspkg:apk/chainguard/nodejs-21-docpkg:apk/wolfi/nodejs-21-docpkg:bitnami/nodepkg:bitnami/node-minpkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/nodejs-packaging-bundlerpkg:rpm/almalinux/npmpkg:rpm/opensuse/nodejs20&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/nodejs20&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/nodejs20&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs22&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs24&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs26&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5pkg:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP6
< 21.7.3-r13+ 19 more
- (no CPE)range: < 21.7.3-r13
- (no CPE)range: < 21.7.3-r13
- (no CPE)range: >= 20.0.0, < 20.15.1
- (no CPE)range: >= 20.0.0, < 20.18.1
- (no CPE)range: < 1:20.16.0-1.module_el8.10.0+3882+e12e42db
- (no CPE)range: < 1:20.16.0-1.module_el8.10.0+3882+e12e42db
- (no CPE)range: < 1:20.16.0-1.module_el8.10.0+3882+e12e42db
- (no CPE)range: < 1:20.16.0-1.module_el8.10.0+3882+e12e42db
- (no CPE)range: < 3.0.1-1.module_el8.9.0+3731+490e3ce5
- (no CPE)range: < 2021.06-4.module_el8.9.0+3775+d8460d35
- (no CPE)range: < 2021.06-4.module_el8.9.0+3775+d8460d35
- (no CPE)range: < 1:10.8.1-1.20.16.0.1.module_el8.10.0+3882+e12e42db
- (no CPE)range: < 20.15.1-150500.11.12.2
- (no CPE)range: < 20.15.1-150600.3.3.2
- (no CPE)range: < 20.15.1-1.1
- (no CPE)range: < 22.10.0-1.1
- (no CPE)range: < 24.11.1-2.1
- (no CPE)range: < 26.3.1-1.1
- (no CPE)range: < 20.15.1-150500.11.12.2
- (no CPE)range: < 20.15.1-150600.3.3.2
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.