CVE-2024-21891: 
npm vulnerability analysis and mitigation

Node.js versions prior to 20.11.1 and 21.6.2 contain a vulnerability in the experimental permission model where built-in utility functions used to normalize paths provided to node:fs functions can be overwritten with user-defined implementations. This vulnerability was discovered in early 2024 and affects all users using the experimental permission model in Node.js 20 and Node.js 21 release lines (NVD, OSS Security).

The vulnerability stems from the way Node.js handles path normalization in its permission model. The built-in utility functions that normalize paths provided to node:fs functions can be overwritten, leading to filesystem permission model bypass through path traversal attacks. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability could lead to filesystem permission model bypass, potentially resulting in unauthorized access to files outside the permitted directories. The impact includes possible disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Advisory).

The vulnerability has been patched in Node.js versions 20.11.1 and 21.6.2. Users running affected versions should upgrade to these patched versions or later. Since this vulnerability specifically affects the experimental permission model, users who are not using this feature are not impacted (Red Hat Advisory).