-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability description and the official Node.js security advisory explicitly mention fs.fchown and fs.fchmod as the functions that can bypass the permission model. These functions, part of the built-in 'fs' module, allow modification of file ownership and permissions using a file descriptor, even if that descriptor was obtained with read-only access. This behavior circumvents the intended restrictions of the experimental permission model when the --allow-fs-write flag is active. Since no commit information was provided, the analysis relies on the textual descriptions of the vulnerability from trusted sources like the Node.js security blog and GitHub advisories which clearly identify these functions as the source of the vulnerability by allowing operations on file descriptors that should be restricted by the permission model under certain conditions (use of --allow-fs-write flag).
Ongoing coverage of React2Shell