CVE-2024-22018: Vulnerability Identified in Node.js with Inadequate Permission Model Affecting fs.lstat API
A security vulnerability, tracked as CVE-2024-22018, has been identified in Node.js, specifically affecting users who have adopted the experimental permission model while using the --allow-fs-read flag. The flaw ensues from an improper permission model, which inadequately restricts file stats through the fs.lstat API. Consequently, threat actors can exploit this vulnerability to access stats from files, even when they are not granted explicit read access.
Affected Versions
This vulnerability impacts all users of the experimental permission model in Node.js versions 20 and 21. It is important to note that the permission model was an experimental feature during the time this CVE was issued.
Vulnerability Details
The weakness stems from an insufficient permission model that, when interacting with the fs.lstat API and the --allow-fs-read flag, fails to appropriately restrict file stats. The following code snippet illustrates the problem:
const fs = require("fs");
// Assuming arbitrary filePath provided by a potential attacker
fs.lstat(filePath, (err, stats) => {
if (err) {
console.error("Error:", err);
return;
}
console.log("Stats:", stats);
});
In this example, the fs.lstat function call can return file statistics for any given file path. In the context of using the experimental permission model with the --allow-fs-read flag, the expectation is that such access would be limited. Nevertheless, due to the vulnerability, an attacker can potentially access sensitive file stats by simply providing the file path.
Original References
1. Node.js Release Notes - detailing affected versions and the usage of the experimental permission model with the --allow-fs-read flag: https://nodejs.org/en/blog/release/
2. Node.js Documentation - provides guidance on the fs.lstat API, explaining the expected behavior and restrictions: https://nodejs.org/api/fs.html#fs_fs_lstat_path_options_callback
3. Node.js Experimental Features - a list that includes the experimental permission model discussed in this CVE: https://nodejs.org/api/documentation.html#documentation_experimental_features
Exploit Details
Although there have not yet been any reports of this vulnerability being exploited in the wild, the potential for abuse exists. To mitigate the risk posed by the CVE-2024-22018 vulnerability, it is recommended that users who are using Node.js 20 or 21 with the experimental permission model should:
1. Update to a newer, stable version of Node.js or opt for an LTS (long-term support) version to ensure a more secure and tested environment: https://nodejs.org/en/download/
2. Refrain from using experimental features in production systems, as these are prone to contain undiscovered vulnerabilities or incomplete functionality.
3. Implement proper access controls and input validation on the application level to restrict potential attackers from supplying arbitrary file paths to the fs.lstat API.
Conclusion
CVE-2024-22018 presents a security vulnerability in Node.js, affecting users who employ the experimental permission model alongside the --allow-fs-read flag. This flaw can allow malicious actors to access file stats without having explicit read access to those files. Mitigating the risks requires users to adopt a more stable version of Node.js, avoid experimental features in production environments, and strengthen access controls and input validation within their applications.
Timeline
Published on: 07/10/2024 02:15:03 UTC
Last modified on: 07/19/2024 14:15:05 UTC