Primary

Context

Node.js File Handle Permission Bypass Vulnerability in Promises API

Vulnerability

Patched

A vulnerability exists in the Node.js promises API, specifically in the `FileHandle.chmod()` and `FileHandle.chown()` methods, which lack the necessary permission checks. This issue arises from an incomplete fix for CVE-2024-36137, allowing code to modify file permissions and ownership on open file descriptors. The vulnerability affects Node.js versions 20.x, 22.x, 24.x, and 25.x, when the Permission Model is used with `--allow-fs-write` restricted.

Impact

Exploitation of this vulnerability allows for unauthorized modification of file permissions and ownership, bypassing intended write restrictions.

Remediation

Users can upgrade to Node.js versions 20.20.2, 22.22.2, 24.14.1, or 25.8.2 to address this vulnerability.

Added: Mar 30, 2026, 8:34 PM

Updated: Mar 30, 2026, 8:34 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

0.6

exploitability

3.3

remediation

7.7

relevance

4.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

0.6

exploitability

3.3

remediation

7.7

relevance

4.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Node.js File Handle Permission Bypass Vulnerability in Promises API

Vulnerability

Impact

Remediation

Affected Products

Node.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating