Cyber Resilience

CVE-2024-22018

Low

Published: 10 July 2024

Published
10 July 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3 2.9 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0022 44.4th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-22018 is a low-severity an unspecified weakness vulnerability in Hackerone (inferred from references). Its CVSS base score is 2.9 (Low).

Operationally, ranked at the 44.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a…

more

result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Hackerone
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References