2024-07-08, Version 22.4.1 (Current), @RafaelGSS
This is a security release.
Notable Changes
- CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
- CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
- CVE-2024-22018 - fs.lstat bypasses permission model (Low)
- CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
- CVE-2024-37372 - Permission model improperly processes UNC paths (Low)
Commits
- [
110902ff5e
] - lib,esm: handle bypass network-import via data: (RafaelGSS) nodejs-private/node-private#522 - [
0a0de3d491
] - lib,permission: support fs.lstat (RafaelGSS) - [
93574335ff
] - lib,permission: disable fchmod/fchown when pm enabled (RafaelGSS) nodejs-private/node-private#584 - [
09899e6302
] - src: handle permissive extension on cmd check (RafaelGSS) nodejs-private/node-private#596 - [
5d9c811634
] - src,permission: fix UNC path resolution (RafaelGSS) nodejs-private/node-private#581