CVE-2024-37372

LOW3.6EPSS 0.07%

Published: 1/9/2025Modified: 12/3/2025

Description

The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.

Affected packages (3)

Alpine/nodejsfrom 0, < 0
Bitnami/node>= 19.0.0, < 20.15.1, >= 21.0.0, < 22.4.1
Bitnami/node-min>= 19.0.0, < 20.18.1, >= 21.0.0, < 22.12.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.6	CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

References (5)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2024-37372
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2024-37372
WEBhttps://security.netapp.com/advisory/ntap-20250502-0010/
WEBhttp://www.openwall.com/lists/oss-security/2024/07/11/6
WEBhttp://www.openwall.com/lists/oss-security/2024/07/19/3