vulnerability
Alma Linux: CVE-2024-21891: Important: nodejs:20 security update (Multiple Advisories)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | Feb 20, 2024 | Apr 11, 2024 | Apr 17, 2026 |
Severity
9
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Published
Feb 20, 2024
Added
Apr 11, 2024
Modified
Apr 17, 2026
Description
Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack.
This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Solutions
alma-upgrade-nodejsalma-upgrade-nodejs-develalma-upgrade-nodejs-docsalma-upgrade-nodejs-full-i18nalma-upgrade-nodejs-nodemonalma-upgrade-nodejs-packagingalma-upgrade-nodejs-packaging-bundleralma-upgrade-npm
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.