CVE-2024-21890 Overview
The Node.js Permission Model contains a documentation and implementation flaw in how wildcards are processed within file path permissions. The vulnerability arises because the permission model does not properly clarify that wildcards should only be used as the last character of a file path. When wildcards are used mid-path, Node.js ignores subsequent path components, granting broader file system access than intended.
Critical Impact
Attackers can exploit misleading wildcard behavior in the Node.js Permission Model to gain unintended file system access, potentially exposing sensitive files beyond the intended permission scope.
Affected Products
- Node.js 20.x (with experimental permission model enabled)
- Node.js 21.x (with experimental permission model enabled)
- All installations using --allow-fs-read or --allow-fs-write flags with mid-path wildcards
Discovery Timeline
- 2024-02-20 - CVE-2024-21890 published to NVD
- 2025-02-12 - Last updated in NVD database
Technical Details for CVE-2024-21890
Vulnerability Analysis
This vulnerability stems from improper input validation in the Node.js experimental permission model's path parsing logic. When administrators configure file system permissions using wildcards (asterisks) within file paths, the permission model fails to properly interpret the intended restriction scope. The core issue is that wildcard characters placed anywhere other than at the end of a path are not processed as expected—instead, everything after the wildcard character is ignored, effectively expanding the permission scope.
For instance, if an administrator intends to restrict access to only .pub files within a user's .ssh directory by specifying --allow-fs-read=/home/node/.ssh/*.pub, the permission model incorrectly grants access to all files under the .ssh/ directory. This behavior contradicts the expected glob-style pattern matching that developers are accustomed to from shell environments.
Root Cause
The root cause is a combination of misleading documentation and permissive path parsing behavior. The permission model's path matching implementation treats wildcards as a truncation point rather than a glob pattern, silently expanding access beyond the administrator's intended scope. This creates a dangerous gap between expected and actual behavior, particularly for security-sensitive configurations.
Attack Vector
This vulnerability is exploitable over the network when Node.js applications are deployed with the experimental permission model enabled. An attacker who can influence the execution context or exploit another vulnerability in the application may be able to access files beyond the intended permission boundaries. The attack does not require authentication and has low complexity to exploit once the misconfigured permission is in place.
The misleading documentation leads administrators to believe they are implementing restrictive file access policies when, in reality, they are granting broader access. For example, an administrator attempting to restrict SSH key access to only public keys inadvertently exposes private keys, authorized_keys files, and other sensitive SSH configuration data.
Detection Methods for CVE-2024-21890
Indicators of Compromise
- Unexpected file access patterns in Node.js applications using the permission model
- Log entries showing access to files outside the intended wildcard scope
- Application behavior accessing sensitive directories like .ssh/, .config/, or credential storage locations
- Audit logs revealing file reads beyond the expected permission boundaries
Detection Strategies
- Review all --allow-fs-read and --allow-fs-write flags in Node.js application configurations for mid-path wildcards
- Implement file access monitoring on sensitive directories when running Node.js with permission model enabled
- Audit application logs for unexpected file access patterns that exceed intended permission scope
- Use static analysis tools to identify permission model configurations with potentially unsafe wildcard usage
Monitoring Recommendations
- Enable detailed file system access logging for Node.js applications using the experimental permission model
- Monitor access attempts to sensitive directories that should be restricted by permission policies
- Implement alerting for any file access that falls outside expected application behavior patterns
- Regularly audit permission model configurations as part of security review processes
How to Mitigate CVE-2024-21890
Immediate Actions Required
- Audit all Node.js deployments for use of the experimental permission model with wildcard paths
- Review and reconfigure any --allow-fs-read or --allow-fs-write flags that use wildcards in non-terminal positions
- Update to the latest Node.js version that addresses this documentation and behavior issue
- Consider temporarily disabling the permission model if secure configuration cannot be immediately verified
Patch Information
Node.js has addressed this vulnerability by updating documentation and clarifying wildcard behavior. Users should update to the latest patched versions of Node.js 20.x and 21.x. Review the HackerOne Report #2257156 for the original security report, and the NetApp Security Advisory for additional vendor guidance. The Openwall OSS-Security Discussion provides community context on this vulnerability.
Workarounds
- Only use wildcards at the end of file paths in permission model configurations (e.g., /path/to/directory/*)
- Specify explicit file paths instead of relying on wildcard patterns for sensitive directories
- Implement additional application-level access controls as a defense-in-depth measure
- Consider using containerization or OS-level sandboxing as an alternative or supplement to the Node.js permission model
# Correct wildcard usage - wildcard at end of path only
node --experimental-permission --allow-fs-read=/home/node/.ssh/* app.js
# Alternative: Specify explicit files instead of wildcards
node --experimental-permission --allow-fs-read=/home/node/.ssh/id_rsa.pub --allow-fs-read=/home/node/.ssh/id_ed25519.pub app.js
# Review current permission configuration
node --experimental-permission --allow-fs-read=/app/data/* --allow-fs-write=/app/logs/* app.js
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
