CVE-2024-21890: 
npm vulnerability analysis and mitigation

The Node.js Permission Model vulnerability (CVE-2024-21890) affects Node.js versions 20.x and 21.x. The vulnerability stems from improper documentation regarding wildcard usage in file paths, where wildcards should only be used as the last character. For example, using --allow-fs-read=/home/node/.ssh/*.pub will incorrectly ignore 'pub' and grant access to everything after '.ssh/'. This vulnerability affects all users utilizing the experimental permission model in Node.js 20 and Node.js 21 (NodeJS Blog, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. The issue lies in the permission model's handling of wildcards in file path specifications, particularly when used with the --allow-fs-read and --allow-fs-write flags. The vulnerability exists in the experimental permission model feature, which incorrectly processes wildcard characters when they appear in file paths (NVD).

The vulnerability can lead to unintended access permissions, potentially allowing access to files and directories beyond the intended scope. When wildcards are used in file paths, the system may grant broader access than intended, potentially exposing sensitive information or allowing unauthorized file system access (OSS Security).

The issue has been addressed in Node.js versions 20.11.1 and 21.6.2. Users should upgrade to these or later versions to resolve the vulnerability. When using the permission model, ensure that wildcards are only used as the last character in file paths (NodeJS Blog).