CVE-2024-21890 is a medium-severity vulnerability affecting the experimental permission model in Node.js versions 4.0 through 21.0, including the latest releases 20.0 and 21.0. The issue arises from misleading documentation regarding the use of wildcards in file path permissions. Specifically, the Node.js permission model documentation does not clarify that wildcards should only be used as the last character in a file path. For example, the permission flag `--allow-fs-read=/home/node/.ssh/*.pub` is intended to restrict read access to files ending with `.pub` in the `.ssh` directory. However, due to the flawed interpretation, the wildcard is ignored, effectively granting read access to all files and directories under `.ssh/`, not just those matching the `.pub` pattern. This can lead to unintended privilege escalation where a Node.js application running with restricted file system read permissions inadvertently gains broader access to sensitive files. The vulnerability affects the experimental permission model, which is not yet the default in Node.js, but is used by developers seeking enhanced security controls. Exploitation requires local access (attack vector: local), low attack complexity, no privileges required, but user interaction is needed (e.g., running a Node.js process with the misconfigured permission flags). The vulnerability impacts confidentiality and integrity by allowing unauthorized read access to files, but does not affect availability. The scope is changed, meaning the vulnerability can affect resources beyond the intended permission boundaries. No known exploits in the wild have been reported at the time of publication. The CVSS 3.0 base score is 5.0 (medium severity), reflecting the moderate risk posed by this issue given its experimental feature status and local attack vector.

For European organizations, this vulnerability poses a risk primarily to development and production environments using Node.js with the experimental permission model enabled. Organizations relying on Node.js for server-side applications, especially those handling sensitive data such as personal information, cryptographic keys, or configuration files stored in restricted directories, may inadvertently expose these assets due to the wildcard misinterpretation. This could lead to data leakage or unauthorized data access, undermining confidentiality and potentially violating data protection regulations such as GDPR. The impact is heightened in sectors with stringent data security requirements, including finance, healthcare, and critical infrastructure. Since exploitation requires local access and user interaction, the threat is more relevant in environments where untrusted code execution or insider threats exist. Additionally, development teams using the experimental permission model without fully understanding the wildcard behavior may unknowingly introduce security gaps. The vulnerability does not directly affect availability, but unauthorized access to sensitive files could facilitate further attacks or lateral movement within networks. Given the widespread adoption of Node.js across Europe, especially in technology hubs and enterprises, the vulnerability could affect a broad range of organizations if the experimental permission model is used improperly.

1. Avoid using the experimental permission model in production environments until this issue is resolved or better documented. 2. If the experimental permission model must be used, strictly adhere to the documented wildcard usage by placing wildcards only as the last character in file paths, and validate permissions carefully. 3. Conduct thorough code and configuration reviews to identify any usage of `--allow-fs-read` or similar flags with wildcards that may grant excessive file system access. 4. Implement additional access controls at the operating system level, such as mandatory access controls (e.g., AppArmor, SELinux) or file system permissions, to limit Node.js process access regardless of permission model misconfigurations. 5. Monitor and audit file access logs for unexpected reads of sensitive directories like `.ssh` or configuration folders. 6. Educate developers and DevOps teams about the experimental nature of the permission model and the specific wildcard usage constraints to prevent misconfiguration. 7. Track Node.js updates and apply patches or fixes addressing this vulnerability once available. 8. Consider containerization or sandboxing Node.js applications to isolate file system access further and reduce risk from permission model flaws.