fs.statfs bypasses Permission Model
Low
N
Node.js
Submitted None
Team Summary
Official summary from Node.js
A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Actions:
Reported by
rafaelgss
Vulnerability Details
Technical details and impact analysis
**Summary:**
`fs.statfs` is not limited by the permission model check
**Description:**
`fs.statfs` doesn't throw ERR_ACCESS_DENIED when accessing an restricted path, being able to get stat information of the file
## Steps To Reproduce:
```console
touch ./test.js
```
```js
// index.js
const fs = require('fs')
fs.statfs('./test.js', (err, stats) => {
console.log('stats', stats)
})
```
```
$ node --experimental-permission --allow-fs-read=/path/to/index.js
(node:756097) ExperimentalWarning: Permission is an experimental feature
(Use `node --trace-warnings ...` to show where the warning was created)
stats StatFs {
type: 61267,
bsize: 4096,
blocks: 56377128,
bfree: 27380986,
bavail: 24498982,
files: 14393344,
ffree: 12478020
}
```
## Impact
Even though it can't read the file contents, it's still can perform I/O against that file to retrieve file stats and to check if a file exists.
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Improper Access Control - Generic