The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:2793 advisory.

    Node.js is a software development platform for building fast and scalable network applications in the     JavaScript programming language.

    Security Fix(es):

    * nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks     (CVE-2024-22019)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of IBM Cognos Analytics installed on the remote host is prior to 11.2.4 FP4 or 12.0.4. It is, therefore, affected by multiple vulnerabilities as referenced in the 7173592 advisory.

  - An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via     a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases     in which uploading arbitrary files is the desired behavior. Also, there are configuration options in all     versions that can change the default behavior of how files are handled. Strapi does not consider this to     be a valid vulnerability. (CVE-2022-29622)

  - Node.js IP package could allow a remote attacker to execute arbitrary code on the system, caused by a     server-side request forgery flaw in the ip.isPublic() function. By sending a specially crafted request     using a hexadecimal representation of a private IP address, an attacker could exploit this vulnerability     to execute arbitrary code on the system and obtain sensitive information. (CVE-2023-42282)   
  - Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams     in the HTTP/2 protocol. By sending numerous HTTP/2 requests and RST_STREAM frames over multiple streams, a     remote attacker could exploit this vulnerability to cause a denial of service due to server resource     consumption. (CVE-2023-44487)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:1444 advisory.

  - The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation     can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-44487)

  - A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with     chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an     unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension     bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like     timeouts and body size limits. (CVE-2024-22019)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202505-11 (Node.js: Multiple Vulnerabilities)

    Multiple vulnerabilities have been discovered in Node.js. Please review the CVE identifiers referenced     below for details.

Tenable has extracted the preceding description block directly from the Gentoo Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-7628:01 advisory.

    * nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks     (CVE-2024-22019)
      * nodejs: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset     Attack) (CVE-2023-44487)

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0732-1 advisory.

  - A vulnerability in the privateDecrypt() API of the crypto library, allowed a covert timing side-channel     during PKCS#1 v1.5 padding error handling. The vulnerability revealed significant timing differences in     decryption for valid and invalid ciphertexts. This poses a serious threat as attackers could remotely     exploit the vulnerability to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios     involving API endpoints processing Json Web Encryption messages. Impacts: Thank you, to hkario for     reporting this vulnerability and thank you Michael Dawson for fixing it. (CVE-2023-46809)

  - A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with     chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an     unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension     bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like     timeouts and body size limits. (CVE-2024-22019)

  - Node.js reports: Code injection and privilege escalation through Linux capabilities- (High) http: Reading     unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High) Path traversal by     monkey-patching Buffer internals- (High) setuid() does not drop all privileges due to io_uring - (High)     Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1     v1.5 padding) - (Medium) Multiple permission model bypasses due to improper path traversal sequence     sanitization - (Medium) Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)     Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium) (CVE-2024-22025)

  - libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function     in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to     256 characters before calling `getaddrinfo`. This behavior can be exploited to create addresses like     `0x00007f000001`, which are considered valid by `getaddrinfo` and could allow an attacker to craft     payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due     to how the `hostname_ascii` variable (with a length of 256 bytes) is handled in `uv_getaddrinfo` and     subsequently in `uv__idna_toascii`. When the hostname exceeds 256 characters, it gets truncated without a     terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar     to MySpace) that allows users to have `username.example.com` pages. Internal services that crawl or cache     these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username.
    This issue has been addressed in release version 1.48.0. Users are advised to upgrade. There are no known     workarounds for this vulnerability. (CVE-2024-24806)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0730-1 advisory.

  - A vulnerability in the privateDecrypt() API of the crypto library, allowed a covert timing side-channel     during PKCS#1 v1.5 padding error handling. The vulnerability revealed significant timing differences in     decryption for valid and invalid ciphertexts. This poses a serious threat as attackers could remotely     exploit the vulnerability to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios     involving API endpoints processing Json Web Encryption messages. Impacts: Thank you, to hkario for     reporting this vulnerability and thank you Michael Dawson for fixing it. (CVE-2023-46809)

  - On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user     while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due     to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when     certain other capabilities have been set. This allows unprivileged users to inject code that inherits the     process's elevated privileges. (CVE-2024-21892)

  - A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with     chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an     unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension     bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like     timeouts and body size limits. (CVE-2024-22019)

  - Node.js reports: Code injection and privilege escalation through Linux capabilities- (High) http: Reading     unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High) Path traversal by     monkey-patching Buffer internals- (High) setuid() does not drop all privileges due to io_uring - (High)     Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1     v1.5 padding) - (Medium) Multiple permission model bypasses due to improper path traversal sequence     sanitization - (Medium) Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)     Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium) (CVE-2024-22025)

  - Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization     headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been     patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for     this vulnerability. (CVE-2024-24758)

  - libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function     in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to     256 characters before calling `getaddrinfo`. This behavior can be exploited to create addresses like     `0x00007f000001`, which are considered valid by `getaddrinfo` and could allow an attacker to craft     payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due     to how the `hostname_ascii` variable (with a length of 256 bytes) is handled in `uv_getaddrinfo` and     subsequently in `uv__idna_toascii`. When the hostname exceeds 256 characters, it gets truncated without a     terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar     to MySpace) that allows users to have `username.example.com` pages. Internal services that crawl or cache     these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username.
    This issue has been addressed in release version 1.48.0. Users are advised to upgrade. There are no known     workarounds for this vulnerability. (CVE-2024-24806)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0731-1 advisory.

  - A vulnerability in the privateDecrypt() API of the crypto library, allowed a covert timing side-channel     during PKCS#1 v1.5 padding error handling. The vulnerability revealed significant timing differences in     decryption for valid and invalid ciphertexts. This poses a serious threat as attackers could remotely     exploit the vulnerability to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios     involving API endpoints processing Json Web Encryption messages. Impacts: Thank you, to hkario for     reporting this vulnerability and thank you Michael Dawson for fixing it. (CVE-2023-46809)

  - A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with     chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an     unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension     bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like     timeouts and body size limits. (CVE-2024-22019)

  -  Denial of Service by resource exhaustion in fetch() brotli decoding. (CVE-2024-22025)

  - Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization     headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been     patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for     this vulnerability. (CVE-2024-24758)

  - libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function     in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to     256 characters before calling `getaddrinfo`. This behavior can be exploited to create addresses like     `0x00007f000001`, which are considered valid by `getaddrinfo` and could allow an attacker to craft     payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due     to how the `hostname_ascii` variable (with a length of 256 bytes) is handled in `uv_getaddrinfo` and     subsequently in `uv__idna_toascii`. When the hostname exceeds 256 characters, it gets truncated without a     terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar     to MySpace) that allows users to have `username.example.com` pages. Internal services that crawl or cache     these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username.
    This issue has been addressed in release version 1.48.0. Users are advised to upgrade. There are no known     workarounds for this vulnerability. (CVE-2024-24806)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-569 advisory.

    A flaw was found in Node.js. On Linux, Node.js ignores certain environment variables if they have been set     by an unprivileged user while the process is running with elevated privileges, with the exception of     CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies     this exception even when other capabilities have been set. This may allow unprivileged users to inject     code that inherits the processes elevated privileges. (CVE-2024-21892)

    A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an     unbounded number of bytes from a single connection, which can allow an attacker to send a specially     crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of service.
    (CVE-2024-22019)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:1687 advisory.

  - The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as     the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore     `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using     the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was     issued, the permission model is an experimental feature of Node.js. (CVE-2024-21890)

  - Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions,     which can be overwitten with user-defined implementations leading to filesystem permission model bypass     through path traversal attack. This vulnerability affects all users using the experimental permission     model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model     is an experimental feature of Node.js. (CVE-2024-21891)

  - On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user     while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due     to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when     certain other capabilities have been set. This allows unprivileged users to inject code that inherits the     process's elevated privileges. (CVE-2024-21892)

  - The permission model protects itself against path traversal attacks by calling path.resolve() on any paths     given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to     obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely,     Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path     traversal vulnerability. This vulnerability affects all users using the experimental permission model in     Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an     experimental feature of Node.js. (CVE-2024-21896)

  - setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid().
    This allows the process to perform privileged operations despite presumably having dropped such privileges     through a call to setuid(). This vulnerability affects all users using version greater or equal than     Node.js 18.18.0, Node.js 20.4.0 and Node.js 21. (CVE-2024-22017)

  - A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with     chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an     unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension     bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like     timeouts and body size limits. (CVE-2024-22019)

  - A vulnerability in the privateDecrypt() API of the crypto library, allowed a covert timing side-channel     during PKCS#1 v1.5 padding error handling. The vulnerability revealed significant timing differences in     decryption for valid and invalid ciphertexts. This poses a serious threat as attackers could remotely     exploit the vulnerability to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios     involving API endpoints processing Json Web Encryption messages. Impacts: Thank you, to hkario for     reporting this vulnerability and thank you Michael Dawson for fixing it. (CVE-2023-46809)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:1688 advisory.

  - The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as     the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore     `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using     the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was     issued, the permission model is an experimental feature of Node.js. (CVE-2024-21890)

  - Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions,     which can be overwitten with user-defined implementations leading to filesystem permission model bypass     through path traversal attack. This vulnerability affects all users using the experimental permission     model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model     is an experimental feature of Node.js. (CVE-2024-21891)

  - On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user     while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due     to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when     certain other capabilities have been set. This allows unprivileged users to inject code that inherits the     process's elevated privileges. (CVE-2024-21892)

  - The permission model protects itself against path traversal attacks by calling path.resolve() on any paths     given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to     obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely,     Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path     traversal vulnerability. This vulnerability affects all users using the experimental permission model in     Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an     experimental feature of Node.js. (CVE-2024-21896)

  - setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid().
    This allows the process to perform privileged operations despite presumably having dropped such privileges     through a call to setuid(). This vulnerability affects all users using version greater or equal than     Node.js 18.18.0, Node.js 20.4.0 and Node.js 21. (CVE-2024-22017)

  - A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with     chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an     unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension     bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like     timeouts and body size limits. (CVE-2024-22019)

  - A vulnerability in the privateDecrypt() API of the crypto library, allowed a covert timing side-channel     during PKCS#1 v1.5 padding error handling. The vulnerability revealed significant timing differences in     decryption for valid and invalid ciphertexts. This poses a serious threat as attackers could remotely     exploit the vulnerability to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios     involving API endpoints processing Json Web Encryption messages. Impacts: Thank you, to hkario for     reporting this vulnerability and thank you Michael Dawson for fixing it. (CVE-2023-46809)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-7668:01 advisory.

    * nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin)     (CVE-2023-46809)
      * nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks     (CVE-2024-22019)
      * nodejs: code injection and privilege escalation through Linux capabilities (CVE-2024-21892)
      * nodejs: path traversal by monkey-patching buffer internals (CVE-2024-21896)
      * nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization     (CVE-2024-21891)
      * nodejs: improper handling of wildcards in --allow-fs-read and --allow-fs-write (CVE-2024-21890)
      * nodejs: setuid() does not drop all privileges due to io_uring (CVE-2024-22017)     CVE-2023-46809
    ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when     announcing a new security problem. When the candidate has been publicized, the details for this candidate     will be provided.
    CVE-2024-21890     The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as     the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore     `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using     the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was     issued, the permission model is an experimental feature of Node.js.
    CVE-2024-21891     Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions,     which can be overwitten with user-defined implementations leading to filesystem permission model bypass     through path traversal attack. This vulnerability affects all users using the experimental permission     model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model     is an experimental feature of Node.js.
    CVE-2024-21892     On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user     while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due     to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when     certain other capabilities have been set. This allows unprivileged users to inject code that inherits the     process's elevated privileges.
    CVE-2024-21896     The permission model protects itself against path traversal attacks by calling path.resolve() on any paths     given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to     obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely,     Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path     traversal vulnerability. This vulnerability affects all users using the experimental permission model in     Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an     experimental feature of Node.js.
    CVE-2024-22017     setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid().
    This allows the process to perform privileged operations despite presumably having dropped such privileges     through a call to setuid(). This vulnerability affects all users using version greater or equal than     Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.
    CVE-2024-22019     A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with     chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an     unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension     bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like     timeouts and body size limits.
    Modularity name: nodejs     Stream name: 20

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-7667:01 advisory.

    * nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin)     (CVE-2023-46809)
      * nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks     (CVE-2024-22019)
      * nodejs: code injection and privilege escalation through Linux capabilities (CVE-2024-21892)
      * nodejs: path traversal by monkey-patching buffer internals (CVE-2024-21896)
      * nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization     (CVE-2024-21891)
      * nodejs: improper handling of wildcards in --allow-fs-read and --allow-fs-write (CVE-2024-21890)
      * nodejs: setuid() does not drop all privileges due to io_uring (CVE-2024-22017)     CVE-2023-46809
    ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when     announcing a new security problem. When the candidate has been publicized, the details for this candidate     will be provided.
    CVE-2024-21890     The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as     the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore     `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using     the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was     issued, the permission model is an experimental feature of Node.js.
    CVE-2024-21891     Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions,     which can be overwitten with user-defined implementations leading to filesystem permission model bypass     through path traversal attack. This vulnerability affects all users using the experimental permission     model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model     is an experimental feature of Node.js.
    CVE-2024-21892     On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user     while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due     to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when     certain other capabilities have been set. This allows unprivileged users to inject code that inherits the     process's elevated privileges.
    CVE-2024-21896     The permission model protects itself against path traversal attacks by calling path.resolve() on any paths     given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to     obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely,     Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path     traversal vulnerability. This vulnerability affects all users using the experimental permission model in     Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an     experimental feature of Node.js.
    CVE-2024-22017     setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid().
    This allows the process to perform privileged operations despite presumably having dropped such privileges     through a call to setuid(). This vulnerability affects all users using version greater or equal than     Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.
    CVE-2024-22019     A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with     chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an     unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension     bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like     timeouts and body size limits.
    Modularity name: nodejs     Stream name: 20

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
195212	RHEL 8 : nodejs:16 (RHSA-2024:2793)	Nessus	Red Hat Local Security Checks	5/9/2024	4/3/2025	high
213274	IBM Cognos Analytics 11.2.x < 11.2.4 FP4 / 12.0.x < 12.0.4 Multiple Vulnerabilities (7173592)	Nessus	CGI abuses	12/20/2024	4/3/2025	critical
192607	Rocky Linux 8 : nodejs:16 (RLSA-2024:1444)	Nessus	Rocky Linux Local Security Checks	3/27/2024	4/3/2025	high
236407	GLSA-202505-11 : Node.js: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	5/14/2025	5/17/2025	critical
293076	MiracleLinux 8 : nodejs:16 (AXSA:2024-7628:01)	Nessus	Miracle Linux Local Security Checks	1/20/2026	1/21/2026	medium
191448	SUSE SLES15 Security Update : nodejs14 (SUSE-SU-2024:0732-1)	Nessus	SuSE Local Security Checks	3/1/2024	3/6/2024	high
191451	SUSE SLES15 / openSUSE 15 Security Update : nodejs18 (SUSE-SU-2024:0730-1)	Nessus	SuSE Local Security Checks	3/1/2024	2/13/2025	high
191455	SUSE SLES12 Security Update : nodejs16 (SUSE-SU-2024:0731-1)	Nessus	SuSE Local Security Checks	3/1/2024	3/1/2024	high
192444	Amazon Linux 2023 : nodejs, nodejs-devel, nodejs-full-i18n (ALAS2023-2024-569)	Nessus	Amazon Linux Local Security Checks	3/21/2024	2/13/2025	high
195000	Rocky Linux 8 : nodejs:20 (RLSA-2024:1687)	Nessus	Rocky Linux Local Security Checks	5/6/2024	4/3/2025	critical
195012	Rocky Linux 9 : nodejs:20 (RLSA-2024:1688)	Nessus	Rocky Linux Local Security Checks	5/6/2024	4/3/2025	critical
292995	MiracleLinux 8 : nodejs:20 (AXSA:2024-7668:01)	Nessus	Miracle Linux Local Security Checks	1/20/2026	1/20/2026	critical
293031	MiracleLinux 9 : nodejs:20 (AXSA:2024-7667:01)	Nessus	Miracle Linux Local Security Checks	1/20/2026	1/20/2026	critical

Detections

Analytics

Plugins Search

high

critical

high

critical

medium

high

high

high

high

critical

critical

critical

critical