漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
N/A
Vulnerability Description
An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Node.js 安全漏洞
Vulnerability Description
Node.js是Node.js开源的一个开源、跨平台的 JavaScript 运行时环境。 Node.js 20.x版本、22.x版本、24.x版本和25.x版本存在安全漏洞,该漏洞源于权限模型文件系统执行中缺少对FileHandle.chmod和FileHandle.chown的权限检查,可能导致绕过文件系统写入限制。
CVSS Information
N/A
Vulnerability Type
N/A