CVE-2024-36137: 
npm vulnerability analysis and mitigation

A vulnerability (CVE-2024-36137) has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. The vulnerability was discovered in July 2024 and affects Node.js versions 20.x and 22.x. The issue exists because Node.js Permission Model does not operate on file descriptors, allowing operations such as fs.fchown or fs.fchmod to use a "read-only" file descriptor to change the owner and permissions of a file (NodeJS Blog).

The vulnerability stems from a limitation in Node.js's experimental permission model where file descriptor operations bypass the intended access controls. When using the --allow-fs-write flag, operations like fs.fchown and fs.fchmod can manipulate file permissions and ownership through a read-only file descriptor, circumventing the permission model's restrictions. The vulnerability has been assigned a CVSS v3.0 score of 3.3 (LOW) with a vector of AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (HackerOne).

The successful exploitation of this vulnerability could lead to unauthorized modification of file permissions and ownership, potentially compromising the security model's integrity. This affects users who specifically use the experimental permission model with the --allow-fs-write flag (NetApp Security).

The vulnerability has been fixed in Node.js versions 22.4.1 and 20.15.1. Users are recommended to upgrade to these or later versions to address the security issue. The fix was implemented through a patch that properly handles file descriptor operations within the permission model (NodeJS Blog).