How severe is CVE-2024-21891?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.9 out of 10.

What type of vulnerability is CVE-2024-21891?

This is classified as CWE-22, which is a common weakness in software security.

CVE-2024-21891 - HIGH Severity | CVSS 7.9

Vulnerability Description

Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Related Vulnerabilities

CVE-2021-33183

HIGH

CVSS:7.9(High)

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability container volume management component in Synology Docker before 18.09.0-0515 allows local users to read or ...

CWE-222021

CVE-2015-8798

HIGH

CVSS:8.0(High)

Directory traversal vulnerability in the Management Server in Symantec Embedded Security: Critical System Protection (SES:CSP) 1.0.x before 1.0 MP5, Embedded Security: Critical System Protection for C...

CWE-222015

CVE-2018-11494

HIGH

CVSS:8.0(High)

The "program extension upload" feature in OpenCart through 3.0.2.0 has a six-step process (upload, install, unzip, move, xml, remove) that allows attackers to execute arbitrary code if the remove step...

CWE-222018

CVE-2018-16221

HIGH

CVSS:8.0(High)

The diagnostics web interface in the Yeahlink Ultra-elegant IP Phone SIP-T41P (firmware 66.83.0.35) does not validate (escape) the path information (path traversal), which allows an authenticated remo...

CWE-222018

CVE-2018-7771

HIGH

CVSS:8.0(High)

The vulnerability exists within processing of editscript.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. A directory traversal vulnerability allows a caller with standard...

CWE-222018

CVE-2019-0887

HIGH

CVSS:8.0(High)

A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an authenticated attacker abuses clipboard redirection, aka 'Remote Desktop Service...

CWE-222019